So I modified mft.pm in log2timeline lib.
This is MFT.pm including filename times.
If you use log2timeline, It will support you when you analyze malware that times were changed.
Link : https://dorumugs-tools.googlecode.com/files/mft.pm
Wednesday, April 17, 2013
Log2Timeline - mft.pm
When I analyze a case, I always think that i want to see filename times.
So I modified mft.pm in log2timeline lib.
This is MFT.pm including filename times.
If you use log2timeline, It will support you when you analyze malware that times were changed.
Link : https://dorumugs-tools.googlecode.com/files/mft.pm
So I modified mft.pm in log2timeline lib.
This is MFT.pm including filename times.
If you use log2timeline, It will support you when you analyze malware that times were changed.
Link : https://dorumugs-tools.googlecode.com/files/mft.pm
Monday, April 15, 2013
Carving - PCAP in Memory (NAFT)
I searched a tool to carve pcap in memory.
This tool is NAFT(The Network Appliance Forensic Toolkit). Download link is below.
Link : http://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/
I introduce the way to carve pcap in memory.
(1) PCAP Structure
(2) Global Header & Packet Header
[RED]
Just a trick. Time is made from file offset.
Example : Offset 7398799
7 is timestamp seconds.
398799 is timestamp microseconds.
(3) Searching ARP
Searching magic like "0x08 0x06 0x00 0x01 0x08 0x00 0x06 0x04"
(The offset of magic) - 12 == The Start of APR
(The offset of magic) + 30 == The end of APR
The total length of ARP == 42(0x2A)
From : The start of ARP to end of the ARP
ARP Offset : (The offset of baseAddress) + (The offset of magic) - 2*6
ARP DATA Offset : (The offset of magic) - 2*6 ~ (The offset of magic) + 30
(4) Searching IP
Search for bytes between 0x45 and 0x4F(depending flag options)
And than check if they are the start of a IPv4 header by calculating.
The value after calculating is compared with the checksum.
potentialIPHeader : 69 ~ 69 + 4 * (69-64) => 69 ~ 89
If checksum is verified, Calculate Packet length.
#################################################################################
This tool is NAFT(The Network Appliance Forensic Toolkit). Download link is below.
Link : http://blog.didierstevens.com/programs/network-appliance-forensic-toolkit/
I introduce the way to carve pcap in memory.
(1) PCAP Structure
(2) Global Header & Packet Header
| Type | Description | Value |
|---|---|---|
| DWORD | MagicNumber | 0xD4C3B2A1 |
| WORD | Major Version Number | 0x0200 |
| WORD | Minor Version Number | 0x0400 |
| DWORD | GMT to Local Correction | 0x00000000 |
| DWORD | Accuracy of Timestamps | 0x00000000 |
| DWORD | Max Length of Captured Packets | 0xFFFF0000 |
| DWORD | Data Link Type | 0x01000000 |
| Type | Description | Value |
|---|---|---|
| DWORD | MagicNumber | 1355707892 == 50CE75F4 == 0xF475CE50 |
| DWORD | Major Version Number | 616446 == 967FE == 0xFE670900 |
| DWORD | Minor Version Number | capture Length 92 => 0x5C |
| DWORD | GMT to Local Correction | Frame Length 92 => 0x5C |
Just a trick. Time is made from file offset.
Example : Offset 7398799
7 is timestamp seconds.
398799 is timestamp microseconds.
(3) Searching ARP
Searching magic like "0x08 0x06 0x00 0x01 0x08 0x00 0x06 0x04"
(The offset of magic) - 12 == The Start of APR
(The offset of magic) + 30 == The end of APR
The total length of ARP == 42(0x2A)
From : The start of ARP to end of the ARP
ARP Offset : (The offset of baseAddress) + (The offset of magic) - 2*6
ARP DATA Offset : (The offset of magic) - 2*6 ~ (The offset of magic) + 30
(4) Searching IP
Search for bytes between 0x45 and 0x4F(depending flag options)
And than check if they are the start of a IPv4 header by calculating.
The value after calculating is compared with the checksum.
potentialIPHeader : 69 ~ 69 + 4 * (69-64) => 69 ~ 89
If checksum is verified, Calculate Packet length.
#################################################################################
baseAddress : 0
offset(==index) : 77008910
potential IP Header : 4500004e0a85000080119bc8c0a88901c0a889ff
potentialIPHeader[2] : 00
potentialIPHeader[3] : 4e
ord(potentialIPHeader[2]) * 0x100 + ord(potentialIPHeader[3])
0 * 0x100 + 78
packetLength : 78
Second : 0x4d
Microecond : 0x22ce
Packet saved in file : 0x5c
Actual length of packet : 0x5c
DATA :
(77008896, '\xff\xff\xff\xff\xff\xff\x00PV\xc0\x00\x08\x08\x00E\x00\x00N\n\x85\x00\x00\x80\x11\x9b\xc8\xc0\xa8\x89\x01\xc0\xa8\x89\xff\x00\x89\x00\x89\x00:5\x81\xed!\x01\x10\x00\x01\x00\x00\x00\x00\x00\x00 EJFDEBFEEBFACACACACACACACACACAAA\x00\x00 \x00\x01')
Formula :
oFrames.AddFrame(baseAddress + index - 2*6 - 2, data[index - 2*6 - 2:index + packetLength], duplicates)
##################################################################################
Sunday, April 7, 2013
Carveing - PE files
If examiners couldn't search anything, he/she starts process to carve something like PE, registry, event log, jpeg and etc....
PE consist of PE Header and PE Body.
PE Header is comprised of DOS Header + DOS Stub + NT Header(File Header + Optional Header) + Section Headers.
PE Body is sections.
We must know PE structure for carving it. But i don't introduce it. Because its structure is introduced through web a lot.
- PE Carving -
Before Caving PE, examiner must know cluster/block size.
(1) Searching for PE Magic Value at the first offset of every cluster.
PE magic value is 0x45 0x5A. its Ascii is MZ.
(2) If You find PE magic value at The first offset of a cluster, search for the magic value of NT header in the cluster. this is 0x50 0x45 0x00 0x00 and this value's ascii is PE.
(3) The size of NT Header is 0xF8.
(4) File header in NT header has the number of section. Number of sections must bigger than Zero.
(5) The magic of optional header in NT header is 0x0B 0x01, if this PE runs on 32bit. when it runs on 64bit, this value is 0x0B 0x02.
(6) The size of PE Header is found at offset 0x3C from the start of optional header.
(7) Section Headers have file alignment and section alignment. file alignment has the start offset of each section on file. section alignment has the start offset of each section on memory.
(8) The size of each section table is 0x28.
(9) Pointer to raw data in section table expresses the start offset of its section.
(10) Size of raw data in section table expresses The size of its section.
I made a tool. Click below link
https://dorumugs-tools.googlecode.com/files/PE_Carver.py
this page is project for carving something.
The first, i start PE carving.
Let's Start!
PE consist of PE Header and PE Body.
PE Header is comprised of DOS Header + DOS Stub + NT Header(File Header + Optional Header) + Section Headers.
PE Body is sections.
We must know PE structure for carving it. But i don't introduce it. Because its structure is introduced through web a lot.
- PE Carving -
Before Caving PE, examiner must know cluster/block size.
(1) Searching for PE Magic Value at the first offset of every cluster.
PE magic value is 0x45 0x5A. its Ascii is MZ.
(2) If You find PE magic value at The first offset of a cluster, search for the magic value of NT header in the cluster. this is 0x50 0x45 0x00 0x00 and this value's ascii is PE.
(3) The size of NT Header is 0xF8.
(4) File header in NT header has the number of section. Number of sections must bigger than Zero.
(5) The magic of optional header in NT header is 0x0B 0x01, if this PE runs on 32bit. when it runs on 64bit, this value is 0x0B 0x02.
(6) The size of PE Header is found at offset 0x3C from the start of optional header.
(7) Section Headers have file alignment and section alignment. file alignment has the start offset of each section on file. section alignment has the start offset of each section on memory.
(8) The size of each section table is 0x28.
(9) Pointer to raw data in section table expresses the start offset of its section.
(10) Size of raw data in section table expresses The size of its section.
I made a tool. Click below link
https://dorumugs-tools.googlecode.com/files/PE_Carver.py
Subscribe to:
Posts (Atom)