Monday, December 9, 2013

Daily Blog #169: Sunday Funday 12/8/13 Winner!

Hello Reader,
            Another Sunday Funday come and gone, an interesting change this week that I'm curious on your feedback for. For the first time I themed this weeks Sunday Funday to topics discussed in this weeks Forensic Lunch. I was hoping this would give many of you a leg up in getting started so please in comments let me know what you thought, is this something you'd like to see done again?

With that said here is this weeks winning answer!

The Challenge:
You have a Windows 2008 system with two partitions, one system and one data partition for file storage and sharing. You recovered a application compatibility cache entry showing that setmace.exe ran but don't know what was changed. You need to answer the following questions:

1. How can you detect timestamp manipulation via setmace on the system disk
2. How can you detect timestamp manipulation via setmace on the data disk
3. How can you recover what files setmace was pointed at
4. How can you recover what commands were executed

The Winning Answer:
 Anonymous

I tried to answer them in order but the answers quickly got mixed together as I thought it would be better to explain my process in order.

1. How can you detect timestamp manipulation via setmace on the system disk
2. How can you detect timestamp manipulation via setmace on the data disk
3. How can you recover what files setmace was pointed at
4. How can you recover what commands were executed

According to your blogpost #130 on Detecting Fraud, "setmace cannot access the physical disk of any system volume, but it can access the physical disk of non system volumes" on Windows Vista/7/8. I would imagine that this is true for Windows 2008 as well as its based on Windows NT 6.x. As a result there wouldn't be any timestamp manipulation via setmace on the system disk.

I would first examine userassist and prefetch to determine if and when setmace has been run.

I would run a keyword search for setmace in an attempt to determine any potential artefacts in slack space. I would examine the pagefile/hiberfil and (hopefully) RAM dump using the processes shown in "Extracting Windows Command Line Details from Physical Memory" and "Restoring Windows CMD sessions from pagefile.sys". This may provide me with clues as to which files were modified. 

I would then create a timeline of activity and look for the low hanging fruit; files with created times when the computer was off, prior to OS or after seizure. This may allow me to determine if setmace has been run on the data disk (as there would be a reference to the drive letter in the command) and may tell me the files that the program was run across.

I am also able to examine the shell artefacts in jumplists/lnk files/shellbags and compare their values with the files on the disk. Any derivations will raise flags as to the accuracy of the timestamps. I would then compare volume shadow copies of the files that have been flagged. I am also able to look for anomalies regarding file access prior to the file being created on the system.


Let's get back to  USN Journal analysis tomorow!