1© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

Deleted Evidence

Fill in the Map to Luke Skywalker

2© Mandiant, a FireEye Company. All rights reserved.

Agenda

Causes of Deletion

- Automated, Manual, Antivirus

Artifacts of File Creation

- NTFS Metadata files

Artifacts of File Access

- WMI, Application Compatibility

- Many more…

3© Mandiant, a FireEye Company. All rights reserved.

Introductions

Mary Singh

Senior Consultant with Mandiant, 6 years

- DFIR for APT, Financial, and Healthcare Cases

Dave Pany

Consultant with Mandiant, 3 years

- DFIR for APT, Financial, and Healthcare Cases

18 years combined experience in information security

Alexandria, VA office

4© Mandiant, a FireEye Company. All rights reserved.

Causes of File Deletion

When an attacker creates a file, it can be deleted in different ways

Automatic

- Self destruction built

into the malware

- Dropper auto delete

Manual

- Delete your evil file? Y

- Check Recycle Bin

(yes this happens)

Antivirus

- AV may delete the

dropper only

- Attacker creates new

variant in response

5© Mandiant, a FireEye Company. All rights reserved.

Recovering Deleted Attacker Files

Deleted files cannot always be recovered

Chance of file recovery depends on:

- How the file was deleted

- The level of activity/data rewrites on the disk

- Disk hardware

• Size of the disk

• Type of drive (e.g. SSD)

If the file cannot be recovered, file metadata is recorded in other Windows

artifacts

6© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

ARTIFACTS OF FILE CREATION

NTFS Metadata files

7© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $MFT

Does the file look $expensive? Then it’s an NTFS Metadata File…

- $MFT, $LogFile, $UsnJrnl, $I30

$MFT: When a file is created, a corresponding $MFT record is also created

File data in the $MFT $DATA attribute

- If the file is small enough (<700 bytes), the file contents will be in the $MFT record

itself (called resident data)

- Small malware configuration files or output files may fall into this category

MFT

Entry10240

$STD_INFORMATION $FILE_NAME $DATA

8© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $MFT

When a file is deleted, the $MFT entry is marked as “inactive” or free

- File data is retained in $MFT records – “Lost Files” in EnCase come from here

- Until that portion of disk space is reused, the file metadata can be recovered

File #1:(record 134)

$MFT record

Overwritten

File #2:(record 135)

Record # Name Flags

28 windows Directory, Active

… … …

133 ben.exe File, Active

134 robothand(old: greenhand)

File, Active(old: File, Deleted)

135 bluehand File, Deleted

136 ewok.txt File, Active

… … …

$MFT record

Recoverable

delete

delete

9© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $I30

Metadata of Directory Contents

0x30 FN structures with 0x10 SI timestamps

Non-resident INDX records

- https://github.com/williballenthin/INDXParse

- $MFT 0xA0 attribute with data run

10© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $I30

Resident INDX records

Exist in 0x90 attribute of a directory’s $MFT

record if small enough

Can be resized or moved to non-resident

Slack space is not overwritten after resizing

11© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $I30

12© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $UsnJrnl

$UsnJrnl records changes to the filesystem (for stability purposes), enabled on Vista+

Journal record: File/directory name, corresponding $MFT Entry, Update Sequence Number (USN), Timestamp, Reason Flag, and more…

Reason Flags

- When a file is created, the “USN_REASON_FILE_CREATE” flag is set

- When a file is deleted, the “USN_REASON_FILE_DELETE” flag is set (shocking I know)

- Full list of reason flags: https://msdn.microsoft.com/en-us/library/aa365722.aspx

The $UsnJrnl is overwritten fairly often, but Journal records can be carved from unallocated space or extracted from Volume Shadow Copy

Resources:

- Cory Harrell’s blog - http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html

- Joakim Schicht’s UsnJrnl2Csv parser - https://github.com/jschicht/UsnJrnl2Csv

13© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $UsnJrnl

Case Study – Parsed $UsnJrnl was ~395,000 lines

- Offset, FileName, Timestamp, Reason, MFTReference,

MFTReferenceSeqNo, MFTParentReference, more…

125 unique “Reason” Codes. For this case, I focused on:

- DATA_OVERWRITE, FILE_CREATE, RENAME_NEW_NAME

- Searched for “hux.exe” detected by the Windows Defender log

FileName Timestamp Reason MFTReferenceMFTReference

SeqNo

MFTParent

Reference

hux.exe 01/30/16 11:27:55 FILE_CREATE 104679 140 624

kylo.exe 01/30/16 11:28:23 FILE_CREATE 104736 97 624

HEADER_MFTRecordNumber FN_FileName FilePath FN_CTime

624 Windows :\Windows 02/07/14 22:41:51

14© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $UsnJrnl

…

15© Mandiant, a FireEye Company. All rights reserved.

Special Case - SDELETE

Sysinternals Tool

Overwrites file names with AAAA.AAA

through ZZZZ.ZZZ

Overwrites file contents

- Likely unrecoverable

Look for EulaAccepted value in registry

- NTUSER.DAT\Software\Sysinternals\SDelete

Search artifacts with this regex:

- ([A-Za-z])\1{2}(~[0-9]\.|\.)([A-Za-z])\1{2}

16© Mandiant, a FireEye Company. All rights reserved.

NTFS Metadata Files: $Logfile

NTFS uses the $Logfile to record file creation (and more)

$Logfile contains less history but more detail than $UsnJrnl

- 32,000 records total, will overwrite from beginning

- Tracks file system creation, changes, renames

- Does not track specific changes to data within a file

Event Time File Name Event Detail

06/15/16 01:51:44 Lukes_address.rar File Creation N/A

06/15/16 01:52:15 map.txt Renaming File Lukes_address.rar -> map.txt

06/15/16 03:22:00 map.txt File Deletion N/A

17© Mandiant, a FireEye Company. All rights reserved.© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL

ARTIFACTS OF FILE ACCESS

These are the droids you’re looking for

18© Mandiant, a FireEye Company. All rights reserved.

CCM_RecentlyUsedApps

Records software that executes to generate usage statistics

Requirements

- Connected to SCCM server

- Software Metering enabled

Probably enterprise only

Keyword hits!

Two known structures

- null delimited

- XML (only XP)

19© Mandiant, a FireEye Company. All rights reserved.

CCM_RecentlyUsedApps

Fields

- Company Name

- File Name

- File Description

- File Version

- File Path

- Last Used Time

- Last User Name

- Original File Name

- Product Name

- Launch Count

- More

Locations

- WMI Repository

• Vista+ C:\WINDOWS\system32\wbem\Repository\OBJECTS.DATA

• XP C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA

- C:\Windows\CCM\InventoryStore.sdf

• Compact SQL database that should be extracted first

20© Mandiant, a FireEye Company. All rights reserved.

CCM_RecentlyUsedApps

PE Header Metadata

- Most legit files will have this info

- Lack of info helps files stand out

File paths stand out

How can you parse this?

- python-cim for allocated records

- https://github.com/fireeye/flare-

wmi/blob/master/python-

cim/samples/show_CCM_RecentlyUsedApps.py

- Standalone python carver for all

records coming soon!

21© Mandiant, a FireEye Company. All rights reserved.

FileSystemFiles

Another tracker of files present on the system at some point in time

TechNet – “FileSystemFile.log” “records the activity of the Windows Management Instrumentation

(WMI) provider for software inventory and file collection.”

22© Mandiant, a FireEye Company. All rights reserved.

FileSystemFiles

Fields:

- Company Name

- Description

- Version

- Last Write Date

- Language

- Name

- Path

- Size

Locations

- XP

• C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA

- Vista+

• C:\Windows\CCM\InventoryStore.sdf

- Compact SQL database that should be extracted first

• C:\WINDOWS\system32\wbem\Repository\OBJECTS.DATA

23© Mandiant, a FireEye Company. All rights reserved.

Windows Defender – APT29 Case Study

Built in AV for Windows

Should be enabled by default on workstations – not on servers

Terrible at stopping APT29 – decent at recording their tools

Log file location:

- C:\ProgramData\Microsoft\Windows Defender\Support\MPLog…..log

Microsoft Antimalware

- Azure AV?

- C:\ProgramData\Microsoft\Microsoft Antimalware\Support\MPLog…..log

24© Mandiant, a FireEye Company. All rights reserved.

Windows Defender – APT29 Case Study

Keyword hit in Defender log for

known bad 5442.exe

- Scan start time

- File or process path

- Scan results?

25© Mandiant, a FireEye Company. All rights reserved.

Windows Defender – APT29 Case Study

What else do we have?

26© Mandiant, a FireEye Company. All rights reserved.

27© Mandiant, a FireEye Company. All rights reserved.

Windows Defender – APT29 Case Study

28© Mandiant, a FireEye Company. All rights reserved.

Application Compatibility Cache

Windows looks at AppCompatCache a.k.a. “ShimCache” to determine if modules require shimming for compatibility

Depending on OS, the Cache data tracks

- file path, size, last modified time, last execution time, and file created in Vista+

Application Compatibility Cache Registry Keys

- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility or AppCompatCache\AppCompatCache

1. File executed (file created also

tracked in Vista+)

2. File metadata

saved in a data

structure

3. Data structure

added to registry on

shutdownFile

metadata on shutdown

SYSTEM

Hive

29© Mandiant, a FireEye Company. All rights reserved.

Application Compatibility Cache

Most recent on top, written on shutdown

Resources:

- ShimCache Parser - https://github.com/mandiant/ShimCacheParser

- Shimcachemem Volatility plugin - https://github.com/fireeye/Volatility-Plugins/tree/master/shimcachemem

Example

- The files “porkins.exe”, “biggs.exe”, and “obiwan.exe” were not recovered

- “obiwan.exe” was a dropper for “anakin.exe” (malicious file)

Last Modified Last Update Path Size Exe Flag

08/24/15 13:07:33 N/A C:\Users\luke\AppData\Local\Temp\tmpc0803709\porkins.exe N/A Yes

08/21/15 13:14:21 N/A C:\Users\luke\AppData\Local\Temp\tmp4313f0ee\biggs.exe N/A Yes

02/25/15 18:28:08 N/A C:\Users\luke\AppData\Roaming\Lspld\anakin.exe N/A Yes

08/20/15 18:06:49 N/A C:\Users\luke\AppData\Local\Temp\obiwan.exe N/A Yes

30© Mandiant, a FireEye Company. All rights reserved.

Windows Prefetch

Prefetch stores last 128 files executed (by default)

- Records last run date, path, and the # of times executed

- File creation date may indicate when the file was first run

No Prefetch by default on Windows Servers :-(

Tracks files loaded in the first 10 seconds of execution

- May contain associated libraries, input or output files

Resource: https://github.com/PoorBillionaire/Windows-Prefetch-Parser

Prefetch File Name Full EXE Path Last Ran # of Times

PHASMA.EXE-19724E9B.pf C:\PHASMA.EXE 03/05/16 13:58:00 1

PSEXESVC.EXE-2B528B05.pf C:\WINDOWS\PSEXESVC.EXE 03/06/16 02:31:30 2

NETSTAT.EXE-31584CCD.pf C:\WINDOWS\SYSTEM32\NETSTAT.EXE 03/06/16 02:31:58 1

31© Mandiant, a FireEye Company. All rights reserved.

Final Thoughts

Many more artifacts to track deleted evidence

How to catch (almost) all the things:

1) Always research keyword hits

2) Listen to other presentations and webinars

3) Always be learning – new technology/artifacts in new OS versions

4) Be adaptable – think like the attacker

Attackers are sneaky, and they adapt to prevention & detection mechanisms

32© Mandiant, a FireEye Company. All rights reserved.

Thank you!

Mary Singh

mary.singh@mandiant.com

@marycheese

David Pany

david.pany@mandiant.com

@davidpany