One of the goals of IR engagements is to locate the initial infection vector and/or patient zero. In order to determine this, timeline analysis becomes critical, as does determining when the malware was created and/or executed on a system.
This file create time may become extremely critical if you're dealing with multiple or even hundreds of systems and trying to determine when and where the malware first made its way into the environment.
But what happens when the malware has already been remediated by a Systems Administrator, deleted by an attacker, or new AV signatures are being pushed out, resulting in the malware being removed?
Many of the residual artifacts demonstrate execution, however, it seems very few actually document when the file was created on the system. This is where the USN Journal recently helped me on a case. The USN Journal is by no means new.. but I just wanted to talk about a case study and share my experience with it, as I feel it's an often overlooked artifact.
For purposes of demonstrative data, I downloaded and infected a Windows 7 VM with malware. This malware was from a phishing email that contained a zip file, voice#5734223.zip. This zip file contained a payload, voice.exe. For more details on this malware sample, check out http://malware-traffic-analysis.net/2015/01/27/index.html
So lets run through some typical artifacts that demonstrate execution along with the available timestamps and see what they do and don't tell us...
The MFT contains the filesystem information - Modified, Accessed and Created dates, file size etc. However, a deleted file's MFT record may be overwritten. If you're lucky, your deleted malware file will still have an entry in the MFT - however, in my case this was not to be.
I won't go into to much detail here as Mandiant has a great white paper on this artifact. Basically, on most systems this artifact contains information on files that have been executed including path, file size and last modified date. I parsed this registry key with RegRipper, and located an entry for the test malware, voice.exe:
ModTime: Wed Jan 28 15:28:46 2015 Z
So what does this tell me? That voice.exe was in the Downloads path, was executed, and has a last modified date of 01/28/2015 - <sigh> no create date </sigh>.
The User Assist is another awesome key... it displays the last time a file was executed, along with a run count. Once again, using RegRipper to parse this I located an entry for the test malware:
Mon Feb 23 02:33:34 2015 Z C:\Users\user1\Downloads\voice#5734223\voice.exe (2)*
By looking at this artifact, I can see that the file was executed twice - once on February 23rd, however, I don't know when the first time was. It could have been minutes, hours or days earlier. It still does very little to let me know when the file was created on the system, although I do know it should be sometime before this time stamp.
This is a great artifact that can show execution and even multiple times of execution. But what if the system is a Server, where prefetching may not be enabled? In my case, prefetching was enabled, but there was no prefetch file for the malware in question - at least that is what I thought until I checked the USN Journal. And, once again, it does not contain information related to when the file was created on the system.
Ok, so I've reviewed a couple of typical artifacts that demonstrated that the malware executed (for more artifacts related to execution, check out this blog post by Mandiant "Did it Execute") With timeline analysis, I may even get an idea of when this file was most likely introduced on the system - however, a definitive create date would be nice to have. This brings me too.....the USN Journal.
There are a couple of tools I use to parse the USN Journal. A quick, easy to use script is usnj.pl available from Harlan Carvey's GitHub page.
Parsing the USN Journal and looking for the malware in question, I see some interesting entries for voice.exe, highlighted in red below:
It's also interesting to note that around the same time the prefetch file was created for voice.exe, a file called testmem.exe was created and executed (highlighted in yellow)..hmmmm.
Time to dig deeper. For a little more detail on the USN Journal, there is the TriForce tool. This tool processes three files: $MFT, $J and $Logfile. It then cross references these three files to build out some additional relationships. In my experience, this tool takes a bit longer to run. As you can see by the output below, I now have full file paths that may help add a little more context:
That testmem.exe just became all that more suspicious due to it's location - a temp folder.
By reviewing the USN Journal file, I was able to establish a create date of the malware. This create date located in the USN Journal gave me an additional pivot point to work with. This pivot point lead to some additional findings - a suspicious file, testmem.exe. (For some more on timeline pivoting, check out Harlan's post here). Not only did the create date help locate additional artifacts, but it can also help me home in on which systems may be patient zero. Malware may arrive on a system long before its executed.
Just because it's not there - doesn't mean it didn't exist. For the case I was working, I did not have any existing prefetch files for the malware. However, when I parsed the USN Journal, I saw the prefetch file for the malware get created and deleted within the span of 40 minutes. I also saw some additional temporary files get created and deleted, some of which were not in the MFT.
Alass, as sad as it is, my relationship with the USN Journal does have some shortcomings (and it's not my fault).
"After talking to Troy Larson though I now understand that this behavior is due to the fact that the journal is not circular but rather pages are allocated and deallocated as the journal grows"
This means that you can carve USN Journals records! Check out his blog post here for more information.
Additional reading on the USN Journal
*The run count number was modified from 1 to 2 on this output to illustrate a point.
Yet another excellent post! I've found a great deal of value in the USN Change Journal, either during exams where IR has been relatively soon after the compromise of the system, or if I'm testing various malware. This is the reason I wrote the change journal parser...so that I could add the info to a timeline. This has been really helpful...thanks for highlighting the value of this data source again!
Thanks for providing such a helpful script to the community. :)Delete
I've got a USN parser here that you can supply the MFT to and it will print the full path, if you don't want to run the full TriForce tool on it:ReplyDelete
TZ Works also puts out a great USN Journal parser, jp64.exe, which provides the full path and great reference points as far as where something existed on the MFT. Thanks for this info!!ReplyDelete