Thursday, January 31, 2008

Forensic Practical #1 - Answers

A few weeks ago I posted a forensic practical along with a basic scenario. You can review it here. A few readers posted some comments, some of them on target, but not nearly in-depth enough. Here is a summary of key points that should have been observed.

1. WINDOWS/system32/inetsrv/rpcall.exe is malware and would be identified by an AV scan. The behavior of this malware is to scan for additional vulnerable machines, which is what caused the network traffic. This executable is set to run at boot through the HKLM\Run key.

2. Looking at the creation date of rpcall.exe should reveal some interesting things, most notably is that every file in the parent folder (\windows\system32) has the same created date/time. This is not normal and is indicative of some sort of timestamp manipulation tool.

3. Sorting by filenames would have revealed a prefetch file was created 06/18/04. Sorting on creation time on that file would show several other files of interest were started near that same time:


4. Looking for sms.exe would result in finding no executable named that, but there must have been one at some point if there was a prefetch file, right?

5. An exam of the User assist keys shows several programs run by the user account of "vmware". One of which is "UEME_RUNPATH:C:\System Volume Information\_restore{00D8A395-89D5-46B8-A850-E02B0F637CE5}\RP2\snapshot\Repository\FS\sms.exe" What the heck is a user doing executing something out of a system restore point folder?

6. Searching in unallocated for "sms.exe" in Unicode would reveal some interesting results

7. Searching the $Logfile would also reveal some interesting results for the keyword of sms.exe, including a complete MFT record for that file and the MAC timestamps. In addition there is an interesting fragment of text from what appears to be a batch file named del10.bat.

8. A search of del10.bat would reveal several hits, including a complete MFT record in the $logfile with timestamps and the appearance in two prefetch files, sms.exe & cmd.exe.

9. reset5setup.exe is a crack used to bypass Windows activation.

There are more artifacts, but the above listed ones are a good start.


Anonymous Monday, 05 September, 2011  

Great article,

however, it would be really great if u can post some articles which shows the deleted date and timelines for the files which were deleted directly via Recycle bin and without Recycle bin, if it is on FTK that would be better, Encase would also do.


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles