Filighting (FIle highLIGHTING) is a proof of concept idea that I implemented in perl as a naive clustering and data reduction algorithm modeled on the way software is built on Windows platform.<\/p>\n
TL;DR; The algo is as follows:<\/p>\n
Yup. It’s that simple.<\/p>\n
Windows software can be built in many ways, using various programming languages, platforms and frameworks.<\/p>\n
For the purpose of this post we will focus on the most typical software packages that contain a couple of components:<\/p>\n
Notably, there are programs that are basically a single executable – many OS programs used to be just simple .exe f.ex. Notepad.exe, or Calc.exe. In newer versions of Windows they rely on additional localization files ( .mui), or are just links to other programs f.ex. Calc.exe on Windows 10 linking to a Metro application. While the programs that are just single executables are not the focus of this post, they certainly could be highlighted as possible ‘orphans’ by the very same algorithm, or its spin-offs.<\/p>\n
Knowing that software contains many files gives us a hint that there must be some links between them all that are somehow established during the compilation, installation, or program use phases.<\/p>\n
While it is hard to keep a track of it all, it certainly makes sense to try to imagine these interconnections and attempt to create a hidden graph that connects all these components together.<\/p>\n
It is also tempting to imagine that recognizing these connections would allow us to cluster files into buckets that could be then hidden from the ‘view’ during analysis!<\/p>\n
This is not an easy thing to do for the whole file system, but it works pretty well for selected case-scenarios and in particular – directories. And there is really a lot of ways to improve this especially if file format is considered and links not only between files, but also between files and the Registry are considered.<\/p>\n
As usual: subject to a further research!<\/p>\n
It’s very easy to abuse it. You just need to drop files that self-reference each other and to make it even more tricky, reference ‘good’ files on the system.<\/p>\n
Installations that cover more than one folder are also problematic (‘Common Files’ subfolder is a good example for ‘multi-folder’ installation).<\/p>\n
Protected files – usually compressed, virtualized main program executable files won’t reveal references to other files.<\/p>\n
There are probably more…<\/p>\n
Still… I do believe this is the future of DFIR tools, even if the possible implementations may vary a lot from the idea I am discussing here.<\/p>\n
‘Known hashes’ is good.<\/p>\n
‘Known hashes+files’ is good+.<\/p>\n
Okay, just writing about stuff is not enough.<\/p>\n
Let’s see how it works in practice.<\/p>\n
In this test I install Total Commander – the latest 32-bit version from http:\/\/www.ghisler.com\/download.htm<\/a><\/p>\n Once installed, the installation folder contains the following list of files:<\/p>\n This is quite a lot of files. If you come across it during exam, you won’t be able to tell which ones are legit and which are not. You need to browse through it all. It takes a lot of human cycles away.<\/p>\n Using a simple script which implements the aforementioned algo I was able to generate the following list of links established between all these files (files are sorted in order of ‘what file is the most popular’, or – in other words – ‘which file is referenced by others the most frequently’:<\/p>\n While simple, the example above allows us to link all of the files produced during the installation of Total Commander and build a cluster which we could call ‘totalcmd’.<\/p>\n I’d love to see a DFIR tool that would allow me to implement this sort of clustering and then help me to hide such filighted files with a click of a mouse. And then applying the same logic to other directories (f.ex. Program Files) one by one could allow us to build such clusters automatically and exclude these files from the ‘view’ as well.<\/p>\n Utilizing such automatically generated clusters + clusters of whitelisted\/blacklisted software (potentially focused on problematic cases) could allow to significantly reduce analysis time (on top of other data reduction techniques).<\/p>\n See the second part here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Filighting (FIle highLIGHTING) is a proof of concept idea that I implemented in perl as a naive clustering and data reduction algorithm modeled on the way software is built on Windows platform. TL;DR; The algo is as follows: enumerate all … Continue reading \n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
The simple example – what does it tell us?<\/h5>\n