Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cache Me If You Can!

bromiley
September 01, 2015

Cache Me If You Can!

"Malware can hide, but it must run" are legendary words for any forensic investigator to live by. As we peek days, weeks, months, sometimes even years back in time, what artifacts are available to help us determine if malware did run? If only there was a native artifact that contained execution information...but wait, there is! In this talk, we will examine Windows execution artifacts including the ShimCache, RecentFileCache, and the newer Amcache hive found in Windows 8 and 10. We will examine the structures of these artifacts, as well as the different points of information recorded by each. Lastly, we will also discuss ways for the forensic investigator to include these artifacts in their investigation, including various parsing tools and analysis techniques.

bromiley

September 01, 2015
Tweet

More Decks by bromiley

Other Decks in Technology

Transcript

  1. 1 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Cache  Me  If  You  Can! Matt  Bromiley Senior  Consultant,  Mandiant
  2. 2 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Agenda • $  whoami • Why  Does  this  Matter? • Windows  Application  Experience  and  Compatibility • Forensic  Shim  Artifacts • RecentFileCache • ShimCache • AmCache • Wrapping  Up
  3. 3 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       $  whoami
  4. 4 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       $  whoami • Currently  a  Senior  Consultant  with  Mandiant • 4+  years  experience  with  a  focus  on  data  breaches,   incident  response,  network  security  monitoring,  and   digital  forensics • Work  with  clients  from  small,  regional  shops  to   multinational  Fortune  50s • SANS  FOR508  TA • LOVE  to  share,  learn,  and  help  others  improve  (while   improving  myself!) Tweet/Git/Blog [@]505Forensics[.com]
  5. 5 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Why  Does  This  Matter?
  6. 6 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Why  Does  This  Matter? “Malware  Can  Hide,  But  It  Must  Run” -­SANS
  7. 7 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Why  Does  This  Matter?  -­ “Malware  Can  Hide,  But  It  Must  Run” • Malware  authors  are  continually  improving  the  methods  by  which  they  hide  their  malware • Persistence  mechanisms  are  becoming  a  study  unto  themselves,  due  to  the  intricacies  of  various   operating  systems • Environments  are  now  running  multiple  versions  of  multiple  operating  systems • How  can  we  scale  our  analysis  to  focus  on  artifacts  that  matter? • Which  artifacts  should  we  be  examining,  and  how  long  do  we  have  value?
  8. 8 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Why  Does  This  Matter? Forensic  Artifacts Time  Since  Incident
  9. 9 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Why  Does  This  Matter?  – Time  Is  Your  Enemy • IR  usually  triggers  on  an  event,  and  we  backtrack  in  time. • As  time  increases,  artifacts  that  are  available  may  decrease • Logs  roll • Users  gonna use • Shutdowns  and  Reboots • Re-­deployment • Destroyed
  10. 10 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Why  Does  This  Matter?  – Add  to  Your  Arsenal • Forensicators need  to  have  as  much  information  as  possible • Cache  entries  can  also  tell  us  what  else happened  before/after  the  malware  was  run • The  goal  is  to  understand  compromise;;  paint  a  picture  of  attacker  activity • Windows  *caches  help  to  understand  more about  what  happened  when • We  are  constantly  peeking  back  in  time • We  need  artifacts  that  can  hopefully  stand  the  test  of  time  as  well!
  11. 11 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Windows  Application  Experience  and  Compatibility
  12. 12 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Windows  Application  Experience  and  Compatibility • Microsoft  Windows  Application  Compatibility  Infrastructure,  aka  Shim  Infrastructure • Designed  to  help  mitigate  software  “breaking”  due  to  Windows  “upgrades”  or  “improvement” • Implemented  via  API  hooking;;  redirects  API  calls  from  Windows  to  alternative  code • Redirects  to  shim  code • Allows  for  applications  with  older  code  dependencies  to  run  without  performance/software  issues   to  the  user
  13. 13 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Windows  Application  Experience  and  Compatibility  (cont.) Application  without  Shims: Application  with  Shims: Source:   https://technet.microsoft.com/en-­us/library/dd837644(v=ws.10).aspx
  14. 14 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Windows  Application  Experience  and  Compatibility  (cont.) Expected  Shim  activity: • When  process  creation  begins,  Windows  checks  for  application  compatibility  flags.  If  present,   then  the  application  compatibility  databases  are  references  through  the  shim  engine • Parse  through  shim  databases  for  additional  verification  of  compatibility  needs • If  required,  load  the  shim  engine  DLL
  15. 15 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Forensic  Shim  Artifacts RecentFileCache
  16. 16 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       RecentFileCache • Located  at  C:\Windows\AppCompat\Programs\RecentFileCache.bcf • Typically  available  on  versions  older  than  Windows  8  &  10 • Temporary  storage  of  a  recent  list  of  executed  applications • What  may  cause  a  program  to  be  stored  in  here? • “New”  programs  (downloaded/copied) • First  runs  of  known-­programs • Volatility • HIGHLY  VOLATILE • Cleared  when  the  Application  Experience  ProgramDataUpdater is  executed,  potentially   storing  long-­term
  17. 17 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       RecentFileCache (cont.)
  18. 18 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       RecentFileCache -­ Parsing • Harlan  Carvey has  written  a  Perl  carver • https://github.com/keydet89/Tools/blob/master/source/rfc.pl • Patrick  Olsen  has  written  a  Python  carver • https://github.com/sysforensics/RecentFileCacheParser Example: python rfcparse.py –f /path/to/RecentFileCache.bcf c:\windows\syswow64\unregmp2.exe c:\program files (x86)\windows media player\wmpshare.exe
  19. 19 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       RecentFileCache – Parsing  (cont.) • Lance  Mueller  also  created  a  EnCase v7  EnScript that  can  extract  RecentFileCache data  from   memory  images,  unallocated  space,  or  find  the  file  itself • Available  at  http://www.forensickb.com/2015/04/encase-­v7-­enscript-­to-­carve.html
  20. 20 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache
  21. 21 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache • Located  within  the  SYSTEM  registry  hive • Windows  XP-­(ish):  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache • !Windows  XP(-­ish):  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache • Contains  program  execution/shim  details;;  more  extensive  than  RecentFileCache • Lower  volatility  than  RecentFileCache;;  can  store  up  to  1024  entries
  22. 22 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Windows  XP • Entries  are  created  when  a  new  file  is  executed,  or   application  is  modified  and  executed. • Registry  entries  are  552  bytes  in  size;;  registry  will   contain  max  96  entries • Entry  has  a  400  byte  header  that  begins  with   0xDEADBEEF • Header  also  contains   • Number  of  entries  in  record • Indices  used  by  cache  manger
  23. 23 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Windows  XP  (cont.) • Entries  contain • Full  path  of  executable • $SI  Last  Modified  Time • File  Size • Last  File  Update  Time • Winlogon saves  cache  contents  to  registry  during   system  shutdown • Cache  entries  may  be  recovered  from  unallocated   registry  or  disk  space • Yes,  you  can  carve  for  these! Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
  24. 24 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Windows  Server  2003 • Registry  path  changes • …\AppCompatCache\AppCompatCache • Registry  entries  are  24  or  32  bytes  in  length;;  registry   will  contain  max  512  entries • Entry  has  a  8  byte  header  that  begins  with   0xBADC0FFE,  and  contains  number  of  entries • Entries  will  be  updated  for  new  executables,  or  existing   executables  with  path  changes/modifications • Differences  between  32-­ and  64-­bit;;  important  to  note   for  parsing!! Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
  25. 25 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Windows  Vista/Server  2008 • Registry  entries  are  24  or  32  bytes  in  length • Cache  contains  up  to  1024  entries • Two  4-­byte  flags  added  (dwInsertFlags and   dwFlags) • File  size  removed • Applications  may  now  be  added  to  cache  without   execution! • Windows  Explorer  may  parse  EXE  metadata  and   applications  are  added  to  cache Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
  26. 26 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Windows  7  and  Server  2008  R2 • Registry  entries  are  32  or  48  bytes  in  length • Cache  contains  up  to  1024  entries • Entry  has  a  128-­byte  header  that   begins  with  0xBADC0FEE,  and   contains  number  of  cache  entries • Non-­executed  applications  may  still  be   recorded;;  however  we  can  detect   execution • Only  timestamps  recorded  are  still   $STANDARD_INFORMATION  last   modified  times
  27. 27 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Windows  7  and  Server  2008  R2  (cont.) • New  cache  updates  now  include  a  flag  that   may  tell  if  application  was  executed  or  not • dwInsertFlags may  be  written  with  a   value  of  2,  indicating  execution • dwShimFlags relate  to  Compatibility   Database • qwBlob*  values  may  relate  to   execution  of  installers Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
  28. 28 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache -­ Parsing • Multiple  tools  available  to  parse  ShimCache • Mandiant’s own  ShimCacheParser tool • https://github.com/mandiant/ShimCacheParser • Can  parse  multiple  file  outputs: • Registry  hives • Extracted  keys • Current  (live)  system • MIR  XML  files • Output  will  be  returned  with  most-­recent  execution  first
  29. 29 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Parsing  (cont.) • ShimCacheParser Usage: python ShimCacheParser.py –i <hive_file> -o <hostname>.appcompat.out [+] Reading registry hive: SYSTEM... [+] Found 32bit Windows 7/2k8-R2 Shim Cache data... [+] Found 32bit Windows 7/2k8-R2 Shim Cache data... [+] Writing output to <hostname>.appcompat.out...
  30. 30 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ShimCache – Parsing  (cont.) • AppCompatCacheParser by  Eric  Zimmerman • Available  at  http://binaryforay.blogspot.com/p/software.html • Can  parse  live  system  or  dead  hives • Usage: AppCompatCacheParser.exe –s <output_dir> -h <path_to_hive>
  31. 31 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       AmCache
  32. 32 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       AmCache • On  Windows  8  &  10/Server  2012,  RecentFileCache.bcf/ShimCache is  replaced  with  ‘AmCache’   hive • Location:  C:\Windows\appcompat\Programs • Now  a  Windows  NT  Registry  (REGF)  hive
  33. 33 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       AmCache (cont.) • AmCache ups  the  forensic  game  significantly! • Now  records: • SHA-­1  hash! • PE  Header  fields • Multiple  timestamps  (last  modified,  created) • Full  path  to  file • File  version • File  Size • Product  Name • Program  ID • Increased  forensic  value  for  investigators
  34. 34 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       AmCache (cont.) • Records  are  grouped  by  Volume  GUIDs • You  can  compare  registry  “folders”   to  GUIDs  found  under   SYSTEM\MountedDevices • Root  >  File  >  Volume  GUID • Volume  GUID  folders  contain  entries;;   each  entry  represents  a  program  within   the  AmCache • Hexadecimal  values  +  17,  100,  and   101 • E.g.  101  represents  the  SHA-­1  of   the  file
  35. 35 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       AmCache -­ Parsing • Eric  Zimmerman  has  developed  AmcacheParser • Available  at  https://www.dropbox.com/s/1letm7lll3wj1ca/AmcacheParser.zip?dl=1 • Eric’s  tool  also  incorporates  whitelist/blacklist  capabilities • Usage: AmcacheParser.exe –s <output_dir> -f <path_to_amcache_hive> [-w <SHA-1 whitelist>] [-b <SHA-1 blacklist>]
  36. 36 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       AmCache – Parsing  (cont.) • Willi  Ballenthin has  created  a  Python  script  to  parse  the  AmCache hive • Available  at  https://github.com/williballenthin/python-­ registry/blob/master/samples/amcache.py • Yogesh Khatri  has  created  EnCase v6  and  v7  parsers • Outputs  to  the  console • Available  at  swiftforensics.com
  37. 37 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Analysis  Techniques
  38. 38 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Analysis  Techniques • Case  Study 1. Imagine:  SOC  receives  an  alert  of  malicious  traffic  originating  from  a  user  workstation. 2. IR  team  collects  targeted  artifacts  from  the  host,  including  registry  hives  and  event  logs 3. Event  log  parsing  shows  multiple  A/V  errors  on  the  file  C:\Windows\oSCMpGpk.exe 1. Administrator  user  logs  in,  disables  A/V,  the  errors  stop 2. We  have  a  filename  as  a  pivot  point 4. Analyst  parses  ShimCache data  from  registry  to  examine  execution  artifacts
  39. 39 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Analysis  Techniques  (cont.) • ShimCache Analysis  Techniques
  40. 40 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Wrapping  Up
  41. 41 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Wrapping  Up • As  forensic  investigators,  we  are  constantly  seeking  new  artifacts  to  help  us  paint  the  picture  of   activity  on  a  system • Artifacts  are  temporal;;  some  are  extremely  volatile,  others  have  a  longer  “shelf-­life” • The  various  *caches  available  since  Windows  XP  help  provide  analysts  another  source  of   information  to  profile  suspicious  activity • There  are  multiple  parsers  available  for  each;;  pick  which  works  best  for  you!
  42. 42 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       Shoulders  of  Giants… SANS  – http://www.sans.org Tools Mandiant ShimCache Whitepaper  -­ https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Eric  Zimmerman  -­ http://binaryforay.blogspot.com/ Blogs Corey  Harrell  -­ http://journeyintoir.blogspot.com Harlan  Carvey -­ http://windowsir.blogspot.com Yogesh Khatri  -­ http://www.swiftforensics.com
  43. 43 ©    Mandiant,   a  FireEye  Company.    All

     rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       THANK  YOU!