How was the System Infected? Part 1

Thursday, August 26, 2010 Posted by Corey Harrell
The previous blog post discussed the examination of volatile data to locate malware running in memory. This type of examination will only find the programs or files that were loaded in memory at the time the image was acquired, which means there is a possibility of not identifying all of the malicious files present on the system. Keeping this in mind, I would complete the remaining examination steps even if malware was found running on the system. This post will continue with the examination of Infected 2 by using the remaining examination steps.

Working through the remaining steps provided me with a better understanding of the artifacts left on the system by an infection. As I was working through the examination, I found myself doing two things. First, I was manually creating a timeline of the evidence located in order to establish a chain of events. For example, the examination of Infected 2's memory image located two pieces of malware, which were 75622830.exe and aaclientt.exe. The examination of these files on the hard disk involved reviewing the files' metadata including their timestamps. These timestamps would start the creation of the timeline and the timeline would be updated when I came across anything else. The second thing I found myself doing was reviewing the other activity on the computer around the same time as the evidence I found. Continuing with the example, I would review the activity on the system around the time the 75622830.exe and aaclient.exe files were created on the system. Not only could reviewing this activity help identify additional malicious software but it could help determine how the files ended up on the computer.

Around this point in my testing I was following numerous discussions about using timelines in forensic investigations. Windows Incident Response was discussing it here, here, and here (these are just three posts but Windows IR has a lot more). Security Ripcord was discussing it here and here. The SANs forensic blog was discussing it here and here. The Win4n6 yahoo group had a few discussions about timelines as well. Needless to say, I used all of the sites I hyperlinked to in order to gain a better understanding of timelines and how to generate them. I tested a range of tools for generating timelines including Harlan Carvey's tools (post has the link to the tools), Security Ripcord's tools, log2timeline, and the Sift workstation with log2timeline installed.

One of the first things I realized was timelines could accomplish both of the things I found myself doing, which was creating a timeline and reviewing the other activity on the system. In addition to this, I also found out timelines can include the majority of the data found using the examination steps. For example, one of the examination steps is to examine the programs ran on the system, and two areas that can be examined are the prefetch files and the userassist key (for a good post about examining these areas check out this post). These are just two of the artifacts that can be included in a timeline in addition to the timestamps of all of the files and folders located on the hard drive. This further opened my eyes to how useful timelines can be to an investigation.

The second part of this post will discuss how timeline analysis was incorporated into the initial examination steps in order to help answer the question of how the system became infected.
Labels:

Post a Comment