Forensic analysis

Local Incident Response

Toolset, Document for students

1.0
DECEMBER 2016

www.enisa.europa.eu European Union Agency For Network And Information Security

 Forensic analysis
1.0 | December 2016

About ENISA

The European Union Agency for Network and Information Security (ENISA) is a centre of network and
information security expertise for the EU, its member states, the private sector and Europe’s citizens.
ENISA works with these groups to develop advice and recommendations on good practice in information
security. It assists EU member states in implementing relevant EU legislation and works to improve the
resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing
expertise in EU member states by supporting the development of cross-border communities committed to
improving network and information security throughout the EU. More information about ENISA and its
work can be found at www.enisa.europa.eu.

Contact
For contacting the authors please use cert-relations@enisa.europa.eu.
For media enquires about this paper, please use press@enisa.europa.eu.

Legal notice
Notice must be taken that this publication represents the views and interpretations of ENISA, unless
stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA
bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not
necessarily represent state-of the-art and ENISA may update it from time to time.

Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.

This publication is intended for information purposes only. It must be accessible free of charge. Neither
ENISA nor any person acting on its behalf is responsible for the use that might be made of the
information contained in this publication.

Copyright Notice
© European Union Agency for Network and Information Security (ENISA), 2016
Reproduction is authorised provided the source is acknowledged.

02
 Forensic analysis
1.0 | December 2016

Table of Contents

1. Forward 4
2. Story that triggers incident handling and investigation processes. 5
3. Environment preparation 6
4. Memory analysis 9
Checking memory dump file 9
Scanning memory with Yara rules 10
Analysis of the process list 13
Network artefacts analysis 14
5. Disk analysis 16
Mounting Windows partition and creating timeline 16
Antivirus scan 25
Filesystem analysis 26
Application logs analysis 30
Decompiling Python executable 38
Prefetch analysis 41
System logs analysis 44
6. Registry analysis 48
Copying and viewing registry 48
Inspecting registry timeline 50
UserAssist 51
List of installed applications 52
7. Building the timeline 55

03
 Forensic analysis
1.0 | December 2016

1. Forward

This three-day training module will follow the tracks of an incident handler and investigator, teaching best
practices and covering both sides of the breach. It is technical in nature and has the aim to provide a
guided training for both incident handlers and investigators while providing lifelike conditions. Training
material mainly uses open source and free tools.

04
 Forensic analysis
1.0 | December 2016

2. Story that triggers incident handling and investigation processes.

The customer’s organization has found out that some of its sensitive data has been detected in online text
sharing application. Due to the legal obligations and for business continuity purposes CSIRT team has been
tasked to conduct an incident response and incident investigation to mitigate the threats.

Breach contains sensitive data and includes a threat notice that in a short while more data will follow. As
the breach leads to specific employee’s computer then CSIRT team, tasked to investigate the incident,
follows the leads.

Below is presented a simplified overview of the training technical setup.

Compromised web-server (command and

control server function)
Router, DHCP

Workstation 1

Web-proxy Compromised web-server (payload)

Workstation/Phone 2

Firewall Compromised web-server (drive-by)

05
 Forensic analysis
1.0 | December 2016

3. Environment preparation

All the practical exercises will be done using CAINE Linux. Import the provided virtual machine appliance
which contains additional set of scripts and all files necessary for completing the exercises.

Next, attach separate storage drive with evidence files (memory dump and disk image) – evidence.vmdk.

Then start CAINE virtual machine and try to login into the system (user: enisa, password: enisa).

After logging into the system mount partition with the evidence files in read only mode. The easiest way to
accomplish this is to use “Mounter” utility. “Mounter” can be started by clicking on the green hard drive
icon at the bottom panel. Then choose partition with evidence files and click OK.

06
 Forensic analysis
1.0 | December 2016

After this operation evidence data should be available at the /media directory (in this case /media/sdb1).

Now open terminal and go to /media/sdb1/Windows directory (or any other directory where partition
with evidence files was mounted) which contains three files:

 disk.raw – raw image of Windows 10 disk (dd format)

 memory.img – dump of Windows 10 memory taken shortly after the attack
 MD5SUMS – file with MD5 sums of disk.raw and memory.img

Calculate checksums using md5sum command and then compare its output with checksums stored in
MD5SUMS file.

07
 Forensic analysis
1.0 | December 2016

If the checksums are correct proceed to the next exercises.

08
 Forensic analysis
1.0 | December 2016

4. Memory analysis

Checking memory dump file

Start by executing Volatility imageinfo command which will provide general information about dumped
memory.

Correct profile to use is Win10x86_44B89EEA1. Additionally to make commands execute faster specify
addresses of DTB, KDBG and KPCR structures:

--dtb=0x1a8000 --kdbg=0x82461820 --kpcr=0x8248b000 --profile=Win10x86_44B89EEA

To check if everything is working try to list processes with the pslist command:

Since all following commands during Windows memory analysis will be used with the same set of
parameters, for convenience create alias to vol.py:

1
This profile was introduced in one of the applied patches. When code is merged into main Volatility repository name
of this profile might change.

09
 Forensic analysis
1.0 | December 2016

vol=’/home/enisa/training/tools/volatility/vol.py -f /media/sdb1/Windows/memory.img --dtb=0x1a8000 --

kdbg=0x82461820 --kpcr=0x8248b000 --profile=Win10x86_44B89EEA’

Scanning memory with Yara rules

Yara rules can be found at /home/enisa/training/ex1/yara-rules.

Open terminal and change to the yara-rules directory.

Create additional *.yar file, including all chosen *.yar files.

Scan memory using yarascan plugin and the previously created rules file:

10
 Forensic analysis
1.0 | December 2016

The general output format is as follows (results.txt file):

Count all distinct rules detected:

To find which rule is defined in what file use grep tool:

Open malware/MALW_LURKO.yar file and inspect SharedStrings rule.

11
 Forensic analysis
1.0 | December 2016

Check in which processes UPX and Xtreme RAT rules were detected.

12
 Forensic analysis
1.0 | December 2016

Analysis of the process list

List all running processes using Volatility pslist plugin:

Search the process list for the PIDs of processes containing malicious code from the previous task:

Search for parent processes of explorer.exe, svchost.exe and update.exe (PIDs: 4748 and 5860):

Check the command line which was used to start given process using the dlllist plugin:

13
 Forensic analysis
1.0 | December 2016

Search for the processes named explorer.exe:

Network artefacts analysis

Search memory for artefacts of network connections using the netscan Volatility plugin.

Inspection of the list can reveal a few connections to nonstandard TCP ports:

There were also some connections to tcp/80 (HTTP) and tcp/443 (HTTPs):

14
 Forensic analysis
1.0 | December 2016

15
 Forensic analysis
1.0 | December 2016

5. Disk analysis

Mounting Windows partition and creating timeline

List partitions present on the disk image:

Mount partition 003 at /mnt/part_c:

Start Autopsy (system menu -> Forensic Tools -> Autopsy 2.24):

16
 Forensic analysis
1.0 | December 2016

If the web browser wasn’t yet started in the system, it should start now. Otherwise open new tab in
browser and go to http://localhost:9999/autopsy.

Create new case by clicking “New Case” and then filling the form as presented on the screenshot below.
Then click “New Case” again.

17
 Forensic analysis
1.0 | December 2016

On the next page you will be informed about path to the case files (including some intermediate results).
Click “Add Host”.

On the next page, specify at least a Host Name and then click “Add Host”. It’s also worth to specify GMT
time zone to be sure this time zone will be used for displaying times during file analysis.

18
 Forensic analysis
1.0 | December 2016

Click “Add Image”.

The next step will be to add disk image as an evidence file. To add a new image click “Add Image” and then
“Add Image File”.

19
 Forensic analysis
1.0 | December 2016

In the next form specify the path to the disk image and check if Type is set to Disk.

Now Autopsy will analyse partition table on the provided disk image and let user decide which partitions
add to the case. In this case, it should be enough to add only the main Windows partition.

20
 Forensic analysis
1.0 | December 2016

After clicking “Add”, Autopsy will display information that a new image was added and linked with the
case. At this point, the analyst can decide whether to add an additional image file or proceed with the
analysis. Click “Ok” since there are no more evidence files to add.

21
 Forensic analysis
1.0 | December 2016

Now the main analysis panel should open.

Create a file activity timeline which will be quite useful during later analysis. To create a timeline, select
partition C:\ and click “File Activity Time Lines”.

22
 Forensic analysis
1.0 | December 2016

Select all options as presented on the screenshot below and click “Ok”:

Now Autopsy will start the analysis of the filesystem on the C:\ partition. Depending on the partition size
and number of files this might take some time.

23
 Forensic analysis
1.0 | December 2016

Fill the form as presented on the screenshot below and click “Ok”.

As a result timeline will be created. Path to this file is <case_path>/Windows/output/timeline-aug2016.txt.

24
 Forensic analysis
1.0 | December 2016

If opening a timeline in a browser leads to a browser crash try opening it in a text editor (e.g. vim, nano).

Antivirus scan
Perform an antivirus scan of the mounted filesystem.

25
 Forensic analysis
1.0 | December 2016

Filesystem analysis
Start by searching on the timeline (either in browser or text editor) for update.exe file which was detected
during the memory analysis.

Later at 13:03:04 according to standard $STANDARD_INFORMATION attribute, update.exe MFT entry was
changed. Note that 13:03:04 is also the time when update.exe process was created according to memory
analysis.

Go back to the main Autopsy panel, choose partition C:\ and click “Analyze”.

26
 Forensic analysis
1.0 | December 2016

Click “Meta Data” and enter 101287 as MFT Entry Number (value can be read from timeline).

One pretty useful information for the forensic analysis that can be read from this page are MACB
timestamp values as read from $STANDARD_INFORMATION and $FILE_NAME attributes.

27
 Forensic analysis
1.0 | December 2016

Go back to the timeline and check what happened shortly before 13:02:57. Quick analysis should reveal
that one second before 13:02:57 file 3568226350[1].exe was created.

Moreover shortly before that, multiple Firefox cache files were created suggesting Firefox activity. Among
those files there is a file in which ClamAV detected an exploit code.

Another way to browse filesystem is to use the Autopsy File Analysis utility. To do this, go to the main
Autopsy panel and choose analysis of C:\ partition.

28
 Forensic analysis
1.0 | December 2016

Next, navigate to C:\Users\Peter\AppData\Roaming where two suspicious directories EpUpdate and

HostData are located (which were found in previous analysis).

Open EpUpdate/ directory and inspect its contents.

29
 Forensic analysis
1.0 | December 2016

Open new terminal window and change directory to the location of the previously generated body file
(created by Autopsy during timeline preparation):

Next, using mactime tool generate small timeline and filter results using grep:

mactime -z GMT -b body -d 2016-08-16T13:03:00..2016-08-16T13:14:47 | grep

‘C:/Users’ | grep ‘\.exe’
-z – time zone specification
-b – path to body file
-d – output in comma delimited format (makes date present in each row)

Application logs analysis

On Windows 10, the Firefox profile is located at C:\Users\<name>\AppData\Roaming\Mozilla\Firefox,
while cache files can be found at C:\Users\<name>\AppData\Local\Mozilla\Firefox.

Go to Users/Peter/AppData/Roaming/Mozilla/Firefox directory on the mounted partition:

30
 Forensic analysis
1.0 | December 2016

Inspect the Crash Reports directory.

Check in Autopsy timestamps of both crash dump files (.dmp and .extra) from pending subdirectory:

Open the .extra file in a text editor:

31
 Forensic analysis
1.0 | December 2016

Start BrowserHistoryView tool (~/training/tools/BrowsingHistoryView/BrowsingHistoryView.exe) using

Wine. In the Advanced Options window, options should be set as shown in the screenshot below.

After clicking OK, the history of visited pages should appear. If the list is empty, make sure all options in the
Advanced Window were set correctly (Options -> Advanced Options).

Next it’s worthwhile to set the time zone to GMT and sort list elements by the Visit Time column. Due to a
Wine bug, you might need to scroll down and up list to refresh it to make the changes take effect.

32
 Forensic analysis
1.0 | December 2016

Scroll down to the date of the incident, 16/08/2016, and analyse websites visited by the user.

Mozilla Firefox cache files are located at

Users\Peter\AppData\Local\Mozilla\Firefox\Profiles\<profname>\cache2:

To view Firefox cache use MZCacheView2. MZCacheView is located at ~/training/tools/MozillaCacheView/

MozillaCacheView.exe and should be started using Wine.

2
http://www.nirsoft.net/utils/mozilla_cache_viewer.html

33
 Forensic analysis
1.0 | December 2016

In the next window, specify the path to the cache2 folder:

After clicking OK, MZCacheView will load data from the cache files. This operation might take a short time.
After the data is fully loaded, change dates to GMT time zone (the same as in Browsing History View tool)
and sort content by Last Modified date.

Scrolling down to the date of the incident, shortly after visiting the blog.mycompany.ex website, multiple
other files were downloaded from another domain, blog.mysportclub.ex:

34
 Forensic analysis
1.0 | December 2016

Export cache files to separate directory for further analysis and to keep evidence data in one place.

To export cache data, select all entries related to blog.mysportclub.ex domain. Then right click on selected
items and choose “Copy Selected Cache Files To…”.

In the next window, specify an output directory (if this directory doesn’t exist it should be created first!).

35
 Forensic analysis
1.0 | December 2016

The same should be repeated for blog.mycompany.ex domain (changing only the output directory).

Perform an analysis of the exported cache files. A good starting point would be an analysis of the index file
of the blog.mycompany.ex website:

After opening it in a text editor, notice strange script at line 153:

Now switching to the analysis of cache files from blog.mysportclub.ex, open /wp-
content/uploads/hk/task/opspy/index.php file (previously saved to blog.mysportclub.ex as
index.php.htm).

36
 Forensic analysis
1.0 | December 2016

Try to search for svchost.exe occurrences in cache files.

Open the first file found. Additionally to make viewing easier it’s good to replace all ‘\n’ phrases with
actual characters of new line.

Scroll down to the middle of the file where cmd variable is defined.

37
 Forensic analysis
1.0 | December 2016

Decompiling Python executable

Filesystem analysis revealed that at 13:10:03 UTC suspicious executable 54948tp.exe was created at
%TEMP% path.

Extract from executable .pyc files using unpy2exe3 script. Two .pyc files should be extracted.

Next using uncompyle64 tool try decompiling the bytecode in .pyc files to the original python code.

3
https://github.com/matiasb/unpy2exe

38
 Forensic analysis
1.0 | December 2016

Inspect the code found in tp.py.pyc_dis file.

Find get_toolz function in the code:

Find and inspect main function.

4
https://pypi.python.org/pypi/uncompyle6/

39
 Forensic analysis
1.0 | December 2016

Next, check in Autopsy referenced %TMP%/SystemProfile directory.

Inspect sysinfo.txt file.

40
 Forensic analysis
1.0 | December 2016

Check SystemProfile/netscan/ directory.

Check contents of the .xml files found in netscan/ directory.

Prefetch analysis
To parse Windows 10 prefetch files use 505Forensics script5. Script can be found at
~/training/tools/win10_prefetch/. Run this script and save its output to prefetch.csv file. Then open
prefetch.csv file in LibreOffice Calc.

LibreOffice should correctly propose separating values by commas. In the Text Import window just click Ok.

5
http://www.505forensics.com/windows-10-prefetch/

41
 Forensic analysis
1.0 | December 2016

Select all data cells and from Data menu choose sort. Then choose column D (Last Run Time 0) for primary
sort key (Sort Key 1).

42
 Forensic analysis
1.0 | December 2016

Table data should now be sorted by last run time of the binaries.

Scroll down to the time of the incident.

43
 Forensic analysis
1.0 | December 2016

System logs analysis

Copy all Windows logs from Windows\System32\winevt\Logs to ~/training/ex1/winevt/evtx/.

Convert previously copied EVTX files to XML format using evtxdump.pl utility.

List all logs in XML format.

Open any of the XML files and inspect XML structure of system logs.

44
 Forensic analysis
1.0 | December 2016

Run ~/training/tools/logparse.py script with --help parameter to view script usage information:

Using logparse.py script search for all events that were logged between 14:03:00 and 14:05:00.

45
 Forensic analysis
1.0 | December 2016

Search for all events mentioning “hydra.exe” phrase – possibly logged at different period of time. This can
be done by specifying pattern filter to logparse.py.

46
 Forensic analysis
1.0 | December 2016

Search for events with IDs 6005, 6006 or 6008.

47
 Forensic analysis
1.0 | December 2016

6. Registry analysis

Copying and viewing registry

Copy all registry files to separate directory at ~/training/ex1/registry:

Start Windows Registry Recovery (WRR) tool from ~/training/tools/WRR/WRR.exe using Wine.

Using WRR open HKLM\Software hive located in SOFTWARE file.

48
 Forensic analysis
1.0 | December 2016

Check what information can be extracted from registry using WRR tool.

Choose Raw Data function from the left panel to view the original registry structure.

49
 Forensic analysis
1.0 | December 2016

Inspecting registry timeline

Use regtime plugin of RegRipper tool to create timeline.

Scroll timeline until date of the incident when GhCtxq8t key was modified.

Inspect contents of GhCtxq8t key using WRR tool and Raw Data function.

50
 Forensic analysis
1.0 | December 2016

Search for PuTTY related entries on the registry timeline created from NTUSER.DAT file.

View SshHostKeys key using WRR tool.

UserAssist
To quickly decode and extract information about UserAssist use userassist plugin from the RegRipper tool:

Find the UserAssist entries related to the incident:

51
 Forensic analysis
1.0 | December 2016

List of installed applications

Start by opening with the WRR tool SOFTWARE registry file. Then navigate to
Microsoft\Windows\CurrentVersion\Uninstall key:

Each Uninstall subkey contains some information about application (varying between subkeys) like
installation date, path to uninstall binary, app version or install source.

52
 Forensic analysis
1.0 | December 2016

By browsing subkeys in Uninstall key, check Mozilla Firefox and Adobe Flash Player versions.

53
 Forensic analysis
1.0 | December 2016

Check the last modification date of WinPcapInst key by right clicking on the subkey and choosing
Properties from the context menu.

54
 Forensic analysis
1.0 | December 2016

7. Building the timeline

To get better picture of the whole incident at the end it’s worth to build timeline with all timestamps
collected from different sources. List below presents all timestamps obtained from the previous tasks.

Observations that should be correlated with other logs (network logs, logs from other hosts) were
additionally bolded.

TIMESTAMP [UTC] OBSERVATION EVIDENCE SOURCE

12:54:24 Start of System process Memory analysis

12:54:31 Start of Event log service System logs

Prefetch files
12:55:53 Start of firefox.exe
UserAssist keys

13:02:46 User visits http://blog.mycompany.ex/ Firefox history

Browser downloads pages from http://blog.mysportclub.ex/wp- Firefox history,

13:02:50 - 13:03:17
content/uploads/hk/ (EK) Filesystem analysis

Creation of Firefox cache file possibly containing exploit code (CVE- AV scan
13:02:53
2012-3993) Filesystem analysis

AV scan
13:02:56 Creation of 3568226350[1].exe file (referred in one of the cache files)
Filesystem analysis

13:02:57 Creation of svchost.exe binary in %TEMP% directory Filesystem analysis

13:02:57 Start of svchost.exe process containing Xtreme RAT code Memory analysis

13:02:57 Modification of Run and RunOnce keys Registry analysis

Start of second explorer.exe process containing Xtreme RAT code

13:02:58 Memory analysis
(possible Run PE)

13:03:04 Start of update.exe process with Xtreme RAT code Memory analysis

13:03:10 Modification of GhCtxq8t registry key (update.exe) Registry analysis

13:03:16 Firefox flash plugin crash report Firefox crash reports

13:07:36 Start of some cmd.exe process Memory analysis

13:10:03 Creation of 54948tp.exe executable in %TEMP% directory Filesystem analysis

13:10:13 Execution of 54948tp.exe Prefetch files

Time period when http://blog.mysportclub.ex/wp-

13:10:13-13:14:47 Python decompilation
content/uploads/hk/files/data_32.bin was downloaded

55
 Forensic analysis
1.0 | December 2016

Creation of %APPDATA%\EpUpdate folder containing multiple hacking

13:14:47 Filesystem analysis
tools

Creation of %TEMP%\SystemProfile folder containing results of

13:14:47 Filesystem analysis
execution various commands

Prefetch files
13:14:47 Execution of mimikatz.exe and creation of mimikatz.log file
Filesystem analysis

Prefetch files
13:14:50 Execution of browserpassworddump.exe and creation of bpd.log
Filesystem analysis

13:34:25 Creation of sysinfo.txt in %TEMP%\SystemProfile Filesystem analysis

13:42:12 Start of some cmd.exe process Memory analysis

13:50:29 Start of winpcap-nmap-4.13.exe UserAssist

13:59:29 Port scan of 192.168.5.1 Filesystem analysis

13:59:34 Port scan of 192.168.5.10 Filesystem analysis

13:59:36 Port scan of 192.168.5.15 Filesystem analysis

14:02:04 Execution of hydra.exe process (possible dictionary attack) System logs

Prefetch files
14:04:44 Execution of Hydra.exe (possible dictionary attack)
System logs

14:08:30 Start of some cmd.exe process Memory analysis

14:10:49 Possible login to some remote host (Plink.exe execution) Prefetch files

14:11:20 Possible login to some remote host (Plink.exe execution) Prefetch files

14:11:26 Modification of PuTTY SshHostKeys (RSA key pointing to 192.168.5.10) Registry analysis

14:17:45 Possible login to some remote host (Plink.exe execution) Prefetch files

14:18:48 Start of some cmd.exe process Memory analysis

14:20:44 Possible login to some remote host (Plink.exe execution) Prefetch files

14:22:45 Possible login to some remote host (Plink.exe execution) Prefetch files

14:23:02 Start of some cmd.exe process Memory analysis

14:23:31 Possible login to some remote host (Plink.exe execution) Prefetch files

14:23:46 Start of some cmd.exe process Memory analysis

Execution of PSCP tool, possibly to download/upload some data from

14:47:12 Prefetch files
remote host

56
 Forensic analysis
1.0 | December 2016

execution of PSCP tool, possibly to download/upload some data from

14:47:54 Prefetch files
remote host

execution of PSCP tool, possibly to download/upload some data from

14:50:09 Prefetch files
remote host

57
ENISA
European Union Agency for Network
and Information Security
Science and Technology Park of Crete (ITE)
Vassilika Vouton, 700 13, Heraklion, Greece

Athens Office
1 Vass. Sofias & Meg. Alexandrou
Marousi 151 24, Athens, Greece

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710
info@enisa.europa.eu
www.enisa.europa.eu