Thursday, May 5, 2011

EnCase EnScript to search for keyword in ROT13 or XOR

Most everyone in the forensic community knows there is loads of valuable information in the Registry. One of those locations is the UserAssist key. This forensic artifact has been explained and written about in just about every forensic blog online. This registry key stores data that is ROT13 encrypted and there are a number of free tools out there to decrypt these values from the registry. 

But it is also very common for other programs, including malware, to use ROT13 to 'hide' some of its settings and configuration. This is a very effective method of avoiding simple keyword searches, etc. XOR is another very common bitwise operation that is used by malware to hide itself of specific strings (i.e. domains named or URLs). In fact, many of the large antivirus companies use XOR to 'hide' the contents of a file that has been detected as a threat and placed into quarantine. 

This EnScript was written to assist in searching for known text that may appear in either a XOR string or ROT13 string somewhere on the disk. A simple use would be to search for something like "Program Files" in ROT13 in unallocated space and you are likely to find all sorts of orphaned UserAssist entries that were either temporarily written to UC or have since been deleted from the active registry. 

Another simple use would be to search for known text, such as "This program cannot" in XOR, which is text that appears in Windows executable files. This would find any executables that may have been XOR'd and do not appear like a normal executable and may have been hidden by malware or AV program or some other process.

When I first started experimenting with this technique, I began searching unallocated for many different common terms, including the logon names of the users. I was very surprised at the number of hits I would find in ROT13 AND XOR in various places across the drive, especially unallocated.

When you run this EnScript, you have a choice of which method you want to search for:

Choose either ROT13 or XOR and then enter a keyword and click OK. This EnScript searches ONLY the selected (blue checked) files in a case. This way you can isolate unallocated or any other specific objects you want to search.

Once finished, the EnScript will create either a "XOR hits" or "ROT13 Hits" folder, depending on the type of search you chose. Inside that folder will be the search hits, as well as the ROT13 text in plain text (comment field) or the XOR key (comment field) used to the find the hit, if you searching in XOR.

In the example, below I searched for the keyword of 'lance' and it found that keyword in numerous places in unallocated space. The comment field shows the plain text keyword, while the preview pane show the 'encrypted' value, as it is on the disk. By a quick glance, you can see these are full paths similar to those found in the UserAssist registry key, bit these were found in unallocated space.

In the next example, I searched for the keyword 'program' and the comment field shows the XOR key used to find that keyword, while the preview column shows the XOR'd data as it was found on disk. It is important to note that the XOR search will only be effective if the original data was XOR'd with a single 8-bit XOR key. If the data was hidden using a muli-byte XOR key, then this technique will not work since each byte of your keyword is XOR'd with every possibility between the decimal value of 1 and 254. In the example below, there are several hits for the word 'program' in unallocated space that are XOR'd.

Once XOR'd data is found by your keyword search, you can use this EnScript to sweep before and after your keyword hit to see the surrounding XOR'd text and possibly find additional artifacts.

This EnScript was inspired by a stand-alone program named 'xorsearch' by Didier Stevens.

3 comments: Wednesday, 18 May, 2011  

Thanks for sharing this. And yes, I agree with your mention of malware using ROT13 and XORing information. It makes static analysis using a debugger or disassembler a bit more difficult, although I'm a big fan of dynamic analysis using either a virtual machine or sandboxed computer.

text message spy Wednesday, 25 May, 2011  

Okay… I want to thanks because it work’s and the step-by-step was so easy to understand… even for a not-well-english speaking person like me… So, thanks again…

Anonymous Monday, 13 June, 2011  

This EnScript works great to find the keyword entered for the XOR feature. But in the comments section of the output under bookmarks it states the XOR key. Unfortunately it seems to be stating the wrong XOR key. If I run XORSearch.exe against the malicious file it I get the proper XOR key result. So it seems like it is just an issue with the reporting of the XOR key. Also, multiple of the EnScript for multiple keywords will clobber results under bookmarks. So an option to rename the output bookmark folder would be great or automatic rename of output to keyword-XOR or something similar would be great.

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles