Update: Hidden Prefetch Files Detection using New PECmd

Before diving into this post, I wanted to say, that I have been teaching digital forensics for a long time by now, and in my Operating System Forensics class, I use Eric Zimmerman‘s tools a lot, and when I say “a lot”, I truly mean it! The course is not about tools, but when it comes to using a tool to form an understanding of what that session was about, then you’ll always find a tool from Eric there (plus others for sure)! This is one thing about how great Eric’s tools are, but for me, there is more than that! Me and my students from time to time find new things, new bugs, etc. I sometimes send Eric a message from inside class and share a sample with him. We most of the times, get the solution fixed while we’re still in class! That is one of the best things about this guy, how much he cares about his tools, and how much support he provides the community! That is why, I doubt you’ll get such support even from a commercial vendor. They will never be able to get back to you this quick.

What does all that mean here? Well, continuing the previous work “Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis” it means we just got a fix or a new feature added to PECmd :)
Continue reading

Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis

While doing more experiments of running EXEs and Malicious EXEs from ADS and Stealthy ADS to continue my previous work “Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS“, and in order to create a forensic image and share it with the community as I mentioned here, I found some unusual findings!

When creating a forensic image, I also create a list of files and directories within that image, as seen in Figure 1, just for further checking and verification purposes. So, as usual, was doing the image to share and I noticed the following:

Figure 1: List of files found in a Forensic Image

Continue reading

Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS

One of my current students asked if using Stealth Alternate Data Streams (ADS), could bypass AVs? Therefore, I wanted to prove that for the student by doing a simple experiment. What was done is the following:
1. Turned off Windows Defender on my Windows System (used for testing)
2. Created a malicious reverse shell (reverse meterpreter) and copied it over to my Windows system. It was named rev.exe.

Contents of the directory I copied the rev.exe to:

3. Created a reverse shell listener (multi-handler) on my attacking system (Kali) and was waiting for the victim machine to connect back to it.

4. Used the commands we know to hide the reverse shell named “rev.exe” in LPT1.txt and then checked the contents of the temp directory (location of files) using FTK Imager
Continue reading

Forensic Analysis: Creating User GUI vs CLI

Hello,

This is my first forensic analysis post in English; as I’m sure you noticed by now that all of it is in Arabic; so excuse me for my bad English :)

The whole idea came out when @azeemnow asked the #DFIR community the following:
how can you tell the difference between a Windows account created from cmdline vs GUI interface?
Found here: URL

I tried to help by giving ideas, but it seems they didn’t help solve the case! So I said to myself why not replicate the process and do some checks!

Actions below done not in exact listed order (more later)!!!
1- Started a cmd.exe with Administration priveleges, and executed:
net user cmduser cmduser /add
2- From the Windows Control Panel and using the User Account applet, I added a user named guiuser.

Now; the first idea I had in mind is I thought that checking the system logs alone was enough to find clues about the exact location of execution & creation. I was wrong about that! Both log entries showed no difference at all except the username for sure :)
Continue reading