Friday, January 18, 2008

Forensic Practical

I run several honeypots and I decided to take some of the malware found on the honeypots and install it on clean computer systems and watch its behavior. To take it a step further for those of you who like to hone your forensic skills, I have decided to post an evidence file of the machine with the malware, and describe a simple scenario that a first responder or examiner would likely face in examining this evidence.


A user in a company is using WinXP Home (just go with me on this ;) and he notices his computer is acting funny. He calls the IT staff over and after some digging around they determine something is definitely wrong. When they do a netstat they see hundreds of connection attempts. They pull the machine offline and image it. They did happen to speak to their netsec people before they pulled it offline, who captured a small amount of network traffic regarding the WinXP system.

The image is provided here in the EnCase evidence format (400mb).

A network capture in tcpdump format is provided here (230kb).

This is not rocket science people, it is fairly simple exam, but it is a good training example and a very common scenario. Please feel free to download and examine the evidence file/network capture and the post any comments on what you find.


hogfly Saturday, 19 January, 2008  

I'm curious...I haven't downloaded the image yet but is the Encase image a complete XP image?

Lance Mueller Saturday, 19 January, 2008  

Hogfly - yes, its a complete WinXP Home system

hogfly Saturday, 19 January, 2008  

Not to be a pain..but how did you get around licensing/distribution of a complete operating system? I've been trying to get together ideas for making my honeynet available for live analysis practicals but licensing is always a blocking issue.

Anonymous Saturday, 19 January, 2008  

Check out reset4setup.exe in the image.

Lance Mueller Saturday, 19 January, 2008  

Can you elaborate or provide any theories you may have? Anything else of interest?

Anonymous Saturday, 19 January, 2008  

"Microsoft Streaming Service Proxy"

Anonymous Saturday, 19 January, 2008  

BTW, upload reset5setup.exe to and let it analyze it.

Or check out this permalink:


Lance Mueller Saturday, 19 January, 2008  

Hogfly - sorry I replied earlier via mobile, but it didn't go through for some reason. I am not really trying to get around any licensing/distro restrictions. It is an EnCase evidence file of an operating system for forensic analysis, not for any other reason.

Anonymous Sunday, 20 January, 2008  

Cheers Lance, I've been looking for such an image for a while. Hope you're feeling better after your Hong Kong trip.


Anonymous Monday, 21 January, 2008  

the network dump shows that compromised host open three way handshake to other host, then after the ACK from other hsot answers with a new SYN asumese that not receive the ACK package, so pther host send another ACK, but compromised host leaves hanshake get down: it seems be a port scanning.
I don't understand why in second steep of three way handshake other host response with ACK=1+SYN=0 and not with ACK=1+SYN=0, as expected.

I convert encase image in dd image with FTK Imager, then use some anti-virus:
avast identify Win32:Rizo-E ( a trojan) in WINDOWS/system32/inetsrv/rpcall.exe
f-prot identify:
[Found possible security risk] RESET5SETUP.EXE->(PEBundle)->(PEBundle)->(PEBundle)->(PEBundle)->(PEBundle)->(PECompact)
[Found downloader] WINDOWS/system32/reset5.dll
ClamAV on Helix v.1.9 (updated) identify anythings.
In event log I did't see anythings of strange.
I'think strange conduct of compromised host my be caused from those malware.
It may be usefull check internet navigation, to see if user visit some dangerous site, and virtualize compromised host to check if malware may be provenence of that.
I treat this test on my blog ( and you can read about it in english here
I apologize for my bad english.
see you

Anonymous Thursday, 12 August, 2010  

Oh and BTW, for anyone who is still interested, you CANNOT just drag and drop this .E01 file into EnCase.

In order to add this evidence, you have to select Add Device -> then on the left column Under Sources, right-click on Evidence file, and select New. A menu will come up, and from here drill down to the folder where the .E01 file resides. Continue to click next and EnCase will finally add this evidence and populate the directory structures.

Melo Monday, 14 January, 2013  

Hello Mueller,

I don't understand. After converted the image for raw, I tried check the image with mmls (sleuthkit) and the answer is "Cannot determine partition type". The same way happened after mount the E01 image with ewfmount and try check with mmls again. So, I tried other tools and realized that there is 2 unknow partitions, 1 "Novell Netware 386" and 1 empty. What did you copy? A entire disk or only a logical partition? I think that miss the part that indicate the type of partition. What you think?


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles