Correlating Artifacts “Computers are like Old Testament gods; lots of rules and no mercy.” -Joseph Campbell

In This Lecture USB Device Analysis User Access to Files Detecting System Time Changes Detecting Defrag Detecting Data Exfiltration Thoughts on the Analysis Process

Autorun Keys Run and RunOnce keys cause programs to run each time a user logs on. Locations: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi on\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio n\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi on\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio n\RunOnce

Autorun Keys Data value is a max 260 character command line string. Will hold the path to the program. Value name special characters: * autorun even in safe mode ! defer deletion of value until after command runs (used in RunOnce subkeys)

USB Devices Correlate when a specific device was connected with who was logged on at the time and also with what documents were accessed during the time period. Provides indications that an employee may have copied sensitive data into that device. Also correlate with events relating to malware infections. Provides indications the thumbdrive introduced malware and identifies the specific device. Knowing specific device can help us find it if still circulating in an office.

USB Devices Requires cross referencing from multiple locations within multiple hive files. SANS USB forensics checklists: Checklist for USB and thumb drives: https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY- Guide.pdf Checklist for USB drive enclosures: https://blogs.sans.org/computer- forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf

USB Scenario 1GB thumb drive from Best Buy with “Geek Squad” logo. Has not been connected to target Win 7 system before. Connected at approx 0813 EDT (1213 UTC) Disconnected at about 0853 EDT. Reconnected at 0914 EDT. FTK Imager v 3.0.0.1442 used to extract System and Software hive files as well as the relevant NTUSER.DAT.

USB Step 1- USBStor keys USBStor keys in the System hive. Initial location where information about USB removable storage devices is stored. HKLM\System\CurrentControlSet\Enum\USBStor Determine CurrentControlSet Recall CurrentControlSet is a pointer to one of the ControlSet00# keys. Look to ControlSet001 and examine the subkeys beneath the USBStor key.

USB Step 1- USBStor keys

USB Step 1 - USBStor keys See the device instance ID in the first key below USBStor. Unique instance ID key immediately below that: 0C90195032E36889&0. Unique instance ID is the serial number maintained in the device descriptor. Used to map this device with information contained elsewhere. Can be used to uniquely identify a device. But no guarantee that each and every USB thumb drive has a unique serial number.

USB Step 1 - USBStor keys Some devices do not have serial numbers and are instead assigned a unique instance ID by Windows upon connection. IDs so assigned have an “&” as the second character. To the best of my knowledge the algorithm is not publicly known.

USB Step 1 - USBStor keys View LastWrite Time LastWrite time of the device ID key is 12:13:21 UTC on July 17 2011 which correlates to our first device connection since the last system reboot LastWrite time will always be the first time a device connected since system start. Some patches will overwrite all LastWrite times however.

USB Step 2 Navigate to the Enum\USB subkey within the same ControlSet. Locate the subkey matching the serial number / unique ID: 0C90195032E36889&0 (left) Find key names with the ID and view the LastWrite time: The LastWrite time of the unique ID / serial number key here correlates to the last time the device was connected to the system. (right)

USB Step 3 Navigate to HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices Will see several volume GUIDs [Note, image from a different source than the rest of the screenshots in this example.]

USB Step 3 Searching for the Volume GUID containing the device serial number within its data. Here it is volume GUID: “\??\Volume{b7d8834c-b065-11e0-834c- 005056c00008}” Note we can also see the device ID “Ven_Best_Guy&Pord_Geek_Squad _U3”.

USB Step 3 Further investigation shows that the value named \DosDevices\F: contains the same data as the volume ID we found. Means the device was mapped to F:\. Indicated no other device was mapped to F:\ volume after the Geek Squad device was removed from the system. If another device mounted as the F:\ volume would likely see that device’s data instead. Useful for mapping file paths, LNK files, JumpLists, etc.

USB Step 3 Worth noting that you can find indications of other volume types in the MountedDevices key such as TrueCrypt and PGPDisk volumes. Note these value names begin with “#” rather than “\??\Volume”. TrueCrypt and PGP Disk can have legitimate use, but could also represent an attempt to hide data.

USB Step 4 Go to Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 in the NTUSER.DAT hive file for the user we’re investigating. Locate the subkey with the same name as the volume GUID. LastWrite time will correspond to the last time the device was connected to the system.

USB Step 5 - Corroborate with Device Classes Navigate to System\CurrentControlSet\Control\DeviceClasses key. Locate the {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} subkey which holds devices identified as disks. Beneath is a subkey who’s name begins with “##?#USBSTOR” and contains the device ID “VEN_BEST_BUY&PROD_GEEK_SQUAD_US” and the unique ID 0C90195032E36889&0 for our thumb drive. The LastWrite time should correspond to the first time that the device was connected to the system during the most recent boot session.

USB Step 6 - Correlate with Logs When a USB device connects for the first time, entries written to log files. <System Volume>\Windows\inf\setupapi.dev.log contains information about Plug and Play devices and driver installation. Events with ID 20003 and 20001 having source “UserPnp” are written to System Event Log. May be events with ID 10000 and 10002 with source “DriverFrameworks-UserMode” indicating installation or update of a device driver.

USB Step 6 - Correlate with Logs “DriverFrameworks-UserMode/Operational” Event Log. Not enabled by default. Events logged upon device connection: 2003, 2004, 2006, 2010, 2100, 2101, 2105, 2106. Majority of these events contain the “unique” serial number.

USB Step 6 - Logs

USB Step 6 - Logs The first recorded event when a USB flash drive is connected is usually Event ID 2003 - “Loading drivers to control a newly discovered device”.

USB Part 6 - Logs When a device is removed: Events with IDs of 2100 and 2102 are written to the “DriverFrameworks- UserMode/Operational ” Event Log. Event ID 2102 triggers on a disconnection.

USB Part 6 - Logs “How to track down USB flash drive usage with Windows 10’s Event Viewer” https://www.techrepublic.com/article/how-to-track-down-usb- flash-drive-usage-in-windows-10s-event-viewer/

USB Part 7 - More Artifacts Check Software\Windows NT \CurrentVersion\EMDMgmt Key is associated with ReadyBoost a Windows 7+ feature that examines USB devices for suitability for use as external random access memory. Subkeys include information about USB thumb drives and USB drive enclosures for HDDs and SSDs. USB thumb drives have names starting with “_??_USBSTOR#”. Name will include the device ID and serial number or ID.

USB Part 7 - More Artifacts Subkeys ctd. Drive enclosures have names starting with an underscore or several letters. The last two elements, if available are the device ID and device serial number.

USB Part 7 - More Artifacts Subkeys ctd. Note: Device serial number: stored in firmware but modifiable through API. Volume serial number: value assigned to a volume when the volume is formatted. Disk signature: four byte value found at offset 0x1b8 within MBR. (can find these in value data in the System\...\MountedDevices key).

USB Part 8 - Windows Shortcuts When a user access a volume or file on a USB device it creates a LNK file in either AppData\Roaming\Microsoft\Windows\Recent or …\Office\Recent. LNK file will include (usually) volume name, volume serial number, and drive type. Cross reference with EMDMgmt subkeys to determine Drive letter assigned to the USB device volume Part of the directory structure within the volume. Which gives insight into the use of the device. Correlate these structures with shellbags or UserAssist entries.

USB Part 8 - Windows Shortcuts Further cross reference with *.automaticDestinations-ms Jump LIsts AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinati ons Compound documents holding streams following the LNK file format.

Demonstrate User Access To Files Why? Sometimes not enough to show contraband images on a computer but want to show a specific user accessed a specific file at specific time. Or perhaps trying to determine what files a user had after anti- forensics techniques and tools employed.

Demonstrate User Access To Files LNK files and jumplists When user double-clicks a file to open it a LNK file is created. The *.automaticDestinations-ms Jump List is created. Application ID field of the Jump List name identifies opening application. DestList stream includes when the file was accessed.

User File Access - Registry Most Recently Used (MRU) lists. Absent user modification, the LastWrite time of the Registry key refers to when the file listed first in the MRU was accessed. Applications maintain their own MRU listings, typically associated with specific users. MS Paint keeps an MRU list in each user’s profile under Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List Adobe products generally keep an MRU listing.

User File Access - Registry Most Recently Used (MRU) lists. MS Office keeps MRU lists for the various apps in subkeys of \Software\Microsoft\Office\ Each has a File MRU subkey with values listed by number, “1”, “2”, … Will have values looking like: [F00000000][T01CE1E8BD536AA20][O00000000]*C:\Course\rr\plu gin.csv The “T” value denotes a 64-bit filetime object. 90% sure this is the timestamp of when the document was closed but documentation unclear and requires testing.

User File Access - Registry MRU Lists MS Office documents retrieved from network resources default to “Protected View” requiring user authorization to be able to edit the file. This is tracked in Software\Microsoft\Office\[version number]\[app]\Security\Trusted Documents\TrustRecords Values include: Path to the file The first 8 bytes of binary data are a FILETIME object for when the user clicked “enable editing”

User File Access - Registry Web browser history. Web browsers can access the local file system with “file:///”. Internet Explorer <user>\Software\Microsoft\Internet Explorer\TypedURLs contains an MRU list of addresses typed into the IE address bar. …\Internet Explorer\Main\WindowsSearch key bay have a value named “Cleared_TIMESTAMP” which is a FILETIME object for when user last cleared IE history.

Detecting System Time Change Modifying system time is a simple anti-forensics technique. If user changed time through “Date and Time” applet in the Control Panel, will produce an artifact in the UserAssist subkey. With proper auditing policy, Event Logs will have an Event ID 4616 (system time change). Also look for temporal anomalies in event logs.

Defrag Defrag can be used as an anti-forensics tool. Who ran defrag can come up in spoliation cases Legal hold - when individuals are instructed to not delete documents or data. Prefetch File for defrag.exe

Defrag Scheduled Task: <System Volume>\Windows\system32\Tasks\Microsoft\Windows\Defrag\Schedu ledDefrag XML file which will include when defrag scheduled to run. Search event logs for events containing “defrag” to determine if actually ran: Event ID 4196 (Task Started) Event ID 4197 (Task Completed) Event ID 4296 (Action Started) Event ID 4297 (Action Completed)

Data Exfiltration Clients, particularly corporate clients, will often want to know if data was taken. Many ways to move data off of a system. Email or Email attachment Typed in a chat window Removable Device Cloud storage FTP Other ideas?

Data Exfiltration Many of these artifacts change routinely as software updates. After the first period of extensive forensics research on Dropbox, the client updated and began encrypting important information.

Data Exfiltration FTP.exe Native command line ftp utility. Seen incident report where attacker used SQL injection to create and run an FTP script and then launched the FTP utility to download further exploit packages onto the system. When user launches ftp it will create prefetch file. Connecting to a FTP server may store info in Software\Microsoft\FTP\Accounts in Registry.

Data Exfiltration Bluetooth fsquirt.exe is the Bluetooth file transfer wizard. https://msdn.microsoft.com/en- us/library/windows/hardware/dn133848(v=vs.85).aspx Registry stores data on paired devices. Prefetch file for fsquirt.exe.

Something New - A Case Study Analyst created a super timeline including event logs and Registry LastWrite times. One particular key had a LastWrite time in the middle of the infection process. Viewed registry key, discovered only a single value. Was value modified? Was something (subkey or value) deleted? Extracted previous hive file from registry backups. Key in question could not be found. Searched slack space for evidence key had been deleted and recreated. No match. Negative results suggested this key and value generated by the infection process.

Something New - Case Study Online research the key/value pair part of the process for “disconnecting” IE from Java. System was infected by a browser drive by that compromised Java. Malware cleaned up after itself to prevent further infection using the same vulnerability. Since part of infection process, this key would not appear in an analyst’s write-up if all they had was the malware binary. Forensics can give us information about malware that cannot be found solely from static and dynamic analysis of the binary. AV vendors frequently publish such malware writeups. Loss of intelligence on the “initial infection vector” if report based only on samples and not forensic analysis.

Something New - Process Must develop a process for incorporating various artifacts based on the examination goals. This is where some of the “art” of forensics comes in. A process will help you discover “new” findings and possibly gaps in the data. Gaps, such as no JumpList data during the time a user was logged in, suggest anti-forensics employed. There are checklists and standard procedures. But analysts will often develop their own approaches based on training and experience. Sharing experiences with and getting feedback from other analysts is the best way to develop as a forensic examiner.

References https://docs.microsoft.com/en-us/windows- hardware/drivers/usbcon/usb-device-specific-registry-settings SANS USB device registry checklist: https://blogs.sans.org/computer- forensics/files/2009/09/USBKEY-Guide.pdf

Questions?