Unit-2

Malware Forensics Using TSK for Network and Host Discoveries, Using Microsoft Offline API to Registry
Discoveries, Identifying Packers using PEID, Registry Forensics with Reg Ripper Plugins, Bypassing Poison Ivy's
Locked Files, Bypassing Conifer’s File System ACL Restrictions, Detecting Rogue PKI Certificates.
Malware Forensics Using TSK for Network and Host Discoveries

The The Sleuth Kit (TSK) is a powerful suite of forensic tools for investigating and analyzing digital evidence from
a variety of sources, including computers, networks, and other devices. It's frequently used in digital forensics to
process file systems, analyze disk images, and recover data from digital artifacts left by malware. When performing
malware forensics, TSK can be instrumental in both host-based and network-based investigations.

1. Host-Based Discoveries

Host-based forensics involves examining the machine directly or analyzing an image of its storage. This approach
allows investigators to look for signs of malware activity on a specific host.

Using TSK for Host-Based Malware Analysis:

 File System Analysis: TSK tools (like fls, icat, and fsstat) allow forensic analysts to recover deleted files,
examine file system structures, and check for suspicious files or activity on the host.

o Example: Malware often leaves behind its executable file, logs, or configuration files that can be
identified and analyzed.

 Timeline Generation: The mactime command can generate a timeline of file system events. This can reveal
when malware was executed or files were accessed, providing context for the infection timeline.

o Example: If you find suspicious files that were created shortly before or after known malicious
behavior, this helps establish the attack sequence.

 File Carving: Using TSK's icat (file extraction) and fls (file listing) tools, analysts can carve out deleted files
from disk images. Malware may delete its own files when attempting to hide its presence, so identifying and
recovering these files is crucial.

 Registry and Configuration Analysis: In Windows environments, the malware may leave behind entries in
the registry that TSK tools can help analyze. Files like ntuser.dat (which holds user-specific registry settings)
can be examined for abnormal registry keys.

 Detecting Persistence Mechanisms: TSK helps detect malware persistence mechanisms on the host, such as
the creation of scheduled tasks, modification of boot sectors, or manipulation of startup folders. Persistent
malware often alters system files to ensure it runs every time the machine boots.

Examples of Host-Based Discovery Using TSK:

 You are investigating a Windows machine and suspect it has been infected by malware. After acquiring a
disk image, you use TSK's fls command to look for unusual file names that could be associated with the
malware, such as files with random strings or files placed in uncommon directories.

 You find that a file in the system was last modified at the time a suspicious process was running. Using
TSK's mactime tool, you can create a timeline and see that the file was created at the same time as a
command-and- control (C2) connection was established, indicating a likely malware activity.

2. Network-Based Discoveries

Network-based forensics focuses on analyzing network traffic and logs to identify malware activities, such as C2
communications or data exfiltration.

Using TSK for Network-Based Malware Analysis:

While TSK isn't primarily focused on network traffic analysis, it can still play a role in investigating network-based
malware activity through artifacts found in file systems, logs, or network files:
 Analyzing Network Traffic Dumps: Malware often communicates over the network, and such
communications may leave traces in network capture files (e.g., PCAP files). TSK can be used to extract
suspicious files from these captures, such as malware payloads that may be embedded in packets. After
1
 extracting these payloads, they can be analyzed further to understand the malware’s behavior.

 Reviewing System Logs for Network Connections: By analyzing log files and system artifacts using TSK,
analysts can uncover network connections established by malware. For instance, looking at logs or parsing
through the file system for logs related to network activity can reveal IP addresses, ports, and URLs that were
contacted during the infection.

 C2 Server and Malware Domains: Malicious programs often connect to a C2 server over specific ports
or domains. TSK’s fls or icat commands can be used to search for file or registry entries related to these
domains, revealing whether any malware has tried to contact known malicious C2 servers.

Examples of Network-Based Discovery Using TSK:

 During the forensic analysis of a server’s disk image, you discover a configuration file left by the malware.
This file contains a list of IP addresses, which are identified as known C2 servers. By cross-referencing
these with known threat intelligence sources, you confirm that the system was used to communicate with
a botnet.

 By extracting and analyzing a set of log files, you notice connections to unusual foreign IP addresses. This
indicates potential exfiltration activity. These logs could be investigated further to determine if they match
known C2 behaviors.

TSK Tools Useful in Malware Forensics:

 fls: Lists files and directories in a disk image, which can help identify suspicious files left by malware.

 icat: Extracts specific files from a disk image, useful for retrieving malware or files related to malware activity.

 fsstat: Displays file system statistics that can assist in understanding file system structure and
identifying abnormalities like the creation of files at suspicious times.

 mactime: Creates a timeline of file system events, which is essential for analyzing malware activity
and discovering when files were accessed or created.

 sigfind: This tool helps to search for known signatures of malware in disk images.

Key Indicators of Malware in Network and Host Discoveries:

 Unusual File Names or Locations: Files with random names or in hidden directories.

 Abnormal Registry Entries: Malware often modifies or adds registry keys for persistence.

 Unexpected Network Traffic: Communication with foreign or suspicious IP addresses.

 Fileless Malware Artifacts: Use of memory-resident malware that leaves minimal traces but can be
detected by analyzing unusual processes or file activity.

 Altered System Files: Unusual modifications to system or executable files often indicate malware infection.

Malware Forensics Using Microsoft Offline API to Registry Discoveries:

Malware forensics is the practice of investigating and analyzing malicious software to understand its behavior, effects,
and propagation methods. A key component of this process is examining the Windows Registry, a hierarchical
database that stores configuration settings and options for the operating system and applications. The Registry often
contains critical evidence of malware activity, including persistence mechanisms, configuration settings, and traces of
execution.
Microsoft’s Offline Registry APIs enable forensic investigators to analyze registry hives from offline systems,
providing a safe environment for uncovering malicious activities without the risk of tampering with live evidence.
Understanding the Windows Registry in Malware Analysis
The Windows Registry is frequently exploited by malware for:
2
 1. Persistence: Malware often adds itself to startup keys to ensure it executes upon system reboot.
o Example keys:
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run
2. Configuration Storage: Malware may store settings, encryption keys, or payloads within registry keys.
3. Security Bypass: Some malware modifies security-related settings in the Registry to disable protections.
4. Hiding Traces: Malware may obfuscate its presence by using encoded or encrypted registry entries.
Microsoft Offline Registry APIs
Microsoft’s Offline Registry APIs allow developers to programmatically interact with registry files extracted from a
target system. Key functions include:
1. RegLoadAppKey: Loads an offline registry hive for read/write operations.
2. RegQueryValueEx: Queries specific values within a registry key.
3. RegEnumKeyEx: Enumerates subkeys within a registry key.
4. RegUnloadAppKey: Unloads a previously loaded registry hive.
These APIs facilitate the safe examination of registry hives outside the compromised system environment.
Workflow for Malware Forensics Using Offline Registry APIs
1. Acquiring Registry Hives
Registry hives are stored as files on disk and can be extracted from a target system using disk imaging tools or manual
copying. Common hive files include:
 SYSTEM
 SOFTWARE
 SECURITY
 SAM
 NTUSER.DAT (user-specific settings)
2. Loading the Hive for Analysis
Using the RegLoadAppKey API, forensic analysts can load an offline registry hive into memory. This allows access to
the hive’s data without affecting its integrity.
3. Identifying Malware Artifacts
Focus on keys commonly used by malware:
 Startup Persistence: Analyze keys like HKLM\Run and HKCU\Run for unusual executables or scripts.
 Configuration Data: Look for unknown or suspicious keys created by malware.
 Security Tampering: Check for altered values in keys like HKLM\SYSTEM\CurrentControlSet\Services.
4. Comparing with Baselines
Compare the loaded registry hive with a clean baseline to identify anomalies, such as unexpected entries or modified
default values.
5. Automating Discovery
3
Develop scripts or tools using Microsoft Offline Registry APIs to automate the enumeration and analysis of keys,
values, and timestamps.
Practical Example
Scenario: Investigating a Suspicious Startup Entry
1. Extract Hive: Acquire the NTUSER.DAT hive from the compromised user’s profile.
2. Load Hive: Use the RegLoadAppKey API to load the hive into a forensic tool.
3. Query Startup Key: Examine HKCU\Software\Microsoft\Windows\CurrentVersion\Run for unknown
entries.
4. Identify Anomalies: Locate suspicious file paths or encoded data.
5. Correlate Evidence: Cross-reference with file system or network activity logs to determine the malware’s
behavior.
Challenges in Malware Forensics
1. Encrypted or Obfuscated Data: Malware may encode its payloads or configuration data in the Registry.
2. Timeline Reconstruction: Registry timestamps may need correlation with other logs to establish an accurate
timeline of events.
3. Complex Persistence Mechanisms: Malware may use advanced techniques like COM hijacking or WMI
persistence, requiring deeper analysis.
Tools and Automation
1. Custom Scripts
Develop scripts using:
 Python: Libraries like pyregf for parsing offline registry hives.
 PowerShell: Cmdlets for interacting with registry data.
2. Forensic Tools
 RECmd: Specialized for offline registry hive analysis.
 Volatility Framework: Useful for memory and registry analysis.
 Microsoft Sysinternals Suite: Tools like Autoruns help identify startup persistence mechanisms.

Identifying Packers using PEID

PEiD (Portable Executable Identifier) is a popular tool for detecting packers, cryptors, and compilers in executable
files. Here's how you can use PEiD to identify packers in an executable file:
Steps to Identify Packers Using PEiD
1. Download and Install PEiD:
o Obtain PEiD from a reliable source.
o Extract and install it on your system (if required). It is often distributed as a standalone application, so
no installation might be necessary.
2. Launch PEiD:
o Open the application. The interface is typically simple and user-friendly.
3. Load the Executable File:
4
 o Click the "..." button or select File > Open from the menu.
o Navigate to the directory containing the executable file you want to analyze, then open it.
4. Automatic Scanning:
o Once the file is loaded, PEiD will automatically analyze it and display results in the main window.
o The output will include details like:
 The detected packer, Cryptor, or compiler.
 The entry point and offset information.
 A signature match (if applicable).
5. Check Additional Information:
o If PEiD identifies a packer, Cryptor, or compiler, it displays the signature match in the results. You
can use this to determine the packing method used.
6. Analyze Further (Optional):
o Use the "Options" menu for additional features, such as viewing raw data or enabling deep scanning.
What If PEiD Doesn’t Detect Anything?
 PEiD relies on a database of signatures to identify packers. If the packer is not in its database:
o Update PEiD's Signature Database: Search for updated signature files online and integrate them.
o Manual Analysis: Use other tools or manually inspect the binary for common packing patterns, such
as modified headers or high entropy.
o Advanced Tools: Tools like Detect It Easy (DIE), Exeinfo PE, or IDA Pro might offer more
comprehensive analysis.
Interpreting the Results
 Known Packers: If PEiD identifies a known packer, you can research that packer for unpacking tools or
techniques.
 Custom Packers: If no packer is identified but there are signs of packing (e.g., high entropy), it might be a
custom or unknown packer.
PEiD is highly useful but may not detect newer or more advanced packers due to its reliance on static signature
analysis.

Registry forensics with reg ripper plu-gins

Registry forensics is a critical part of digital investigations, and RegRipper is one of the most commonly used tools
for analyzing Windows Registry hives. It automates the extraction and parsing of Registry keys and values using
plugins tailored for specific forensic artifacts.
Here’s a guide to using RegRipper plugins for registry forensics:
What is RegRipper?
RegRipper is an open-source tool that parses Windows Registry hives to extract forensic data. It uses plugins, each
designed to parse specific artifacts or areas of the Registry.
Key Features of RegRipper
 Automated analysis with minimal manual effort.
 Plugin-based system for extensibility.
5
  Support for common Registry hives, including:
o NTUSER.DAT
o SAM
o SYSTEM
o SOFTWARE
o SECURITY
Steps to Use RegRipper for Registry Forensics
1. Obtain Registry Hives:
o Extract the required Registry hives (e.g., NTUSER.DAT, SYSTEM, SOFTWARE) from the target
system.
o Use imaging tools like FTK Imager or EnCase to ensure you don’t alter the original evidence.
2. Install and Launch RegRipper:
o Download RegRipper from a trusted source.
o Extract the tool and navigate to its directory.
o You can run RegRipper via a GUI (rr.exe) or command-line interface (rip.exe).
3. Run RegRipper Plugins:
o Load the Registry hive in RegRipper.
o Use the GUI to select the appropriate hive type (NTUSER.DAT, SYSTEM, etc.).
o Choose the plugins to run or allow the tool to run all relevant plugins for the hive.
Command-Line Example:
bash
Copy code
rip.exe -r <path_to_registry_hive> -p <plugin_name>
o -r: Path to the Registry hive.
o -p: Plugin name (e.g., "userassist").
o If you want all plugins for the hive, omit the -p option.
4. Review Output:
o RegRipper generates a human-readable report of extracted data.
o Examine the results for key forensic artifacts such as:
 Recently accessed files (User Assist keys).
 Auto-runs (Run keys).
 Installed software (Uninstall keys).
 Network configuration (SYSTEM hive).
Important RegRipper Plugins
Here are some commonly used plugins and their purposes:
6
Plugin Purpose

userassist Retrieves the User Assist key to show recently executed programs.

run Identifies programs set to auto-run on startup (Run keys).

samparse Parses the SAM hive for user account information.

services Extracts information about Windows services.

networklist Displays information about connected networks.

usbdevices Lists USB devices connected to the system.

timezone Displays the system time zone information.

recentdocs Retrieves the most recently accessed documents.

shellbags Extracts information about folder navigation and opened directories.

bthport Shows Bluetooth devices paired with the system.

Forensic Use Cases

1. Investigating User Activity:
o Use userassist, recentdocs, and shellbags plugins to track file and folder activity.
2. Startup Programs:
o Analyze run and runonce plugins to find malicious or suspicious auto-start entries.
3. USB Forensics:
o Use usbdevices to detect when and which USB devices were connected.
4. Network Analysis:
o Run networklist and dhcp plugins to analyze network configurations and connections.
5. Account Information:
o Use samparse to find user accounts and their last login times.
Tips for Effective Usage
 Plugin Documentation: Familiarize yourself with available plugins and their functionality. Use the rip.exe -l
command to list all plugins.
 Combine with Other Tools: Use RegRipper alongside tools like Volatility or Autopsy for a comprehensive
investigation.
 Regular Updates: Ensure your RegRipper plugins are up to date to handle new artifacts or system updates.
Common Challenges
 Corrupted Hives: If the Registry hive is corrupted, you may need to repair it before analysis.
 Partial Data: Some artifacts may be incomplete due to overwritten data or anti-forensics.
By effectively leveraging RegRipper plugins, you can extract a wealth of forensic artifacts to support your
investigations.

7
Bypassing Poison Ivy's Locked Files
Bypassing locked files created or controlled by Poison Ivy, a well-known Remote Access Trojan (RAT), involves analyzing
and potentially decrypting or extracting the files it locks or hides. Here's a detailed approach tailored to this specific
malware:

1. Secure the Environment

 Isolate the Infected System: Avoid spreading the infection by disconnecting the system from any network.

 Setup a Forensics Lab: Use a virtual machine with snapshots or a physical machine dedicated to malware analysis.

2. Detect Locked Files

 Identify Related Processes:

o Use Process Explorer to locate processes associated with Poison Ivy.

o Look for suspiciously named processes or those with unusual behaviors, such as hidden windows or high CPU
usage.

 Check File Handles:

o Use the Handle tool from Sysinternals to find processes holding locks on files.

3. Analyze Poison Ivy's Behavior

Poison Ivy often locks files or encrypts them as part of its operation. To understand how it interacts with files:

 Static Analysis:

o Disassemble the malware binary using tools like IDA Pro, Ghidra, or Radare2.

o Look for file paths, encryption algorithms, or hardcoded keys.

 Dynamic Analysis:

o Execute the malware in a controlled sandbox (e.g., Cuckoo Sandbox) to monitor how it interacts with files.

4. Access Locked Files

Terminate the Locking Process

 Use Task Manager, Process Explorer, or taskkill to end the malware process.

 Ensure that stopping the process doesn’t delete or corrupt the files. Malware may include self-deletion routines.

Force Unlock File Handles

 Use Unlocker or Handle to forcefully unlock files.

 Tools like IObit Unlocker can also help bypass restrictions.

Access in Safe Mode

 Boot the system into Safe Mode to prevent the malware from running and locking the files.

5. Bypass Encryption

If the locked files are encrypted:

 Extract Keys from Memory:

o Use memory forensics tools (e.g., Volatility) to analyze a memory dump for encryption keys or routines.

o Volatility plugins like strings, malfind, and pslist can help identify and extract relevant data.

8
  Identify Encryption Algorithms:

o Analyze the malware binary to discover the encryption method used.

o Reverse-engineer the decryption routine if necessary.

 Decrypt Files:

o Use the captured keys or replicate the decryption routine to recover locked files.

6. Recover and Analyze Files

Recover Hidden Files

 File Carving:

o Use tools like Scalpel or Foremost to recover file fragments.

 Disk Imaging:

o Create a forensic image of the disk with tools like FTK Imager and analyze hidden or partially overwritten
files.

Restore Previous Versions

 Use Shadow Copies or Volume Shadow Service (VSS) snapshots to recover unaltered versions of the files.

7. Advanced Techniques

Access Files via a Live OS

 Boot the system using a Linux live distribution (e.g., Ubuntu Live or Kali Linux) to bypass malware's control over files.

Modify Access Control Lists (ACLs)

 Change file ownership or permissions using:

o Windows: icacls or takeown.

o Linux: chmod and chown.

8. Automation and Scripting

 Use scripts to automate decryption or file recovery based on observed patterns in file locks or encryption.

9. Documentation and Cleanup

 Document all actions for legal and research purposes.

 After analysis, clean the system using anti-malware tools or reformat if necessary.

Bypassing Conficker's File System ACL Restrictions

Bypassing Conficker's File System ACL (Access Control List) Restrictions in a forensic or investigative context typically
involves overriding or circumventing permissions set by malware or advanced configurations to lock or restrict file
access. Here’s a comprehensive approach:

1. Understand the File System and ACL Setup

Conifer’s file system ACL restrictions may refer to:

 Custom ACL configurations set by malware.

 OS-level ACL mechanisms to restrict access to files or folders.

2. Preparation

9
  Isolate the System: Ensure the target system is disconnected from the network to prevent malware communication or
data exfiltration.

 Forensic Workstation: Use a dedicated, secure forensic environment to avoid contaminating evidence.

3. Identify the Locked Files and ACL Rules

 Locate Locked Files:

o Use ls (Linux/macOS) or dir (Windows) with flags to reveal ownership and permission details.

 Linux: ls -l /path/to/file

 Windows: icacls C:\path\to\file

 Identify ACLs:

o Linux: Use getfacl /path/to/file to check file ACLs.

o Windows: Use icacls C:\path\to\file to view detailed permissions.

4. Bypass ACL Restrictions

4.1. Modify ACL Permissions

 Linux:
o Change ownership:
bash
Copy code
sudo chown user:group /path/to/file

o Change permissions:
bash
Copy code
sudo chmod 777 /path/to/file

o Clear ACLs:
bash
Copy code
sudo setfacl -b /path/to/file

 Windows:

o Take ownership:
cmd
Copy code
takeown /F "C:\path\to\file"

o Grant permissions:
cmd
Copy code
icacls "C:\path\to\file" /grant Everyone:F

4.2. Boot into a Live OS

 Use a live Linux OS (e.g., Ubuntu Live, Kali) to bypass Windows file system restrictions and access files directly.

4.3. Force Unlock Locked Files

 Use tools like:

o Sysinternals Handle (Windows): Identify and close handles to the locked file.
cmd
Copy code
handle.exe > handles.txt
10
 o Unlocker: Forcefully unlock files or folders.

5. Analyze and Copy the Locked Files

 Once permissions are modified or unlocked:

o Copy the files to a safe location for analysis.

o Use forensic tools like FTK Imager, Autopsy, or Sleuth Kit for deeper investigation.

6. Explore Advanced Techniques

6.1. Bypass via Registry Modifications (Windows)

 Some ACL restrictions are governed by registry keys. Locate and modify these with caution:

o Use regedit or reg.exe to locate registry keys associated with file access.

6.2. Memory Analysis

 If ACL restrictions are enforced by malware, analyze the system’s memory:

o Dump memory using tools like Volatility or Rekall.

o Search for processes enforcing ACL restrictions and extract in-memory keys or configurations.

6.3. Direct Disk Access

 Use tools like dd (Linux) or FTK Imager (Windows) to create a raw disk image and bypass ACLs at the filesystem
level.

6.4. Kernel-Level Access

 If standard methods fail, use kernel-level debugging tools to access restricted files:

o Linux: Use debugfs to access the file system directly.

o Windows: Use WinDbg for advanced analysis.

7. Restore and Secure Files

 After bypassing ACLs:

o Document original permissions for forensic integrity.

o Restore file permissions to prevent further access issues.

8. Tools and Scripts

 Linux: setfacl, getfacl, chown, chmod

 Windows: icacls, takeown, Sysinternals Suite

 Cross-Platform: Forensic tools like FTK Imager, Autopsy, and Sleuth Kit.

Detecting Rogue PKI Certificates

Detecting rogue PKI (Public Key Infrastructure) certificates is essential to ensure the security of your system, as rogue
certificates can be exploited by attackers to impersonate legitimate entities, perform man-in-the-middle (MitM)
attacks, or bypass authentication mechanisms.

Here’s a structured approach to detecting rogue PKI certificates:

1. Monitor Certificate Transparency Logs

 Certificate Transparency (CT): Public logs of all certificates issued by trusted Certificate Authorities (CAs).

11
  Use tools like:

o Google's Certificate Transparency Log Viewer

o crt.sh: Search for certificates issued to your domain or organization.

 Set up alerts for certificates issued to your domain using tools like CertSpotter or Censys.

2. Audit Internal PKI

 Conduct regular audits of certificates issued within your organization.

 Use tools to list all certificates, such as:

o OpenSSL commands for manual checks.

o Certificate management tools like Venafi, DigiCert, or Microsoft Certificate Services.

3. Validate Certificate Chains

 Ensure certificates in use are issued by trusted Certificate Authorities.

 Detect anomalies like certificates with unexpected issuers or missing chain links.

 Use tools like openssl:

bash

Copy code

openssl verify -CAfile <ca-bundle.pem> <certificate.pem>

4. Monitor Network Traffic for Rogue Certificates

 Use network security tools (IDS/IPS systems, firewalls) to inspect SSL/TLS traffic.

 Look for certificates with:

o Unknown issuers.

o Expired or revoked status.

o Weak cryptographic algorithms (e.g., MD5 or SHA-1).

5. Leverage Threat Intelligence

 Subscribe to threat intelligence feeds to stay updated on known rogue CAs or malicious certificates.

 Example sources:

o AbuseIPDB.

o OSINT platforms like VirusTotal and Shodan.

6. Check Certificate Revocation Lists (CRLs) and OCSP

 Ensure proper validation of certificates via:

o CRLs (Certificate Revocation Lists): Download and compare against active certificates.

o OCSP (Online Certificate Status Protocol): Query the status of certificates in real-time.

7. Analyze Certificate Metadata

 Identify certificates with unusual attributes:

o Short or excessively long validity periods.

12
 o Mismatched Subject and Issuer fields.

o Suspicious usage fields (e.g., Extended Key Usage).

8. Automation and Tools

 Use automated solutions to detect rogue certificates:

o Zed Attack Proxy (ZAP): For dynamic analysis of websites.

o Certbot: Verifies and manages certificates.

o Custom scripts: Automate detection using APIs from CT log services or TLS libraries.

 Example Python script using crt.sh API:

python

Copy code

import requests

domain = "example.com"

url = f"https://crt.sh/?q={domain}&output=json"

response = requests.get(url)

if response.status_code == 200:

certificates = response.json()

for cert in certificates:

print(cert['common_name'], cert['issuer_name'])

9. Conduct Penetration Testing

 Simulate attacks to detect rogue certificate vulnerabilities.

 Ensure systems reject unauthorized or self-signed certificates.

10. Incident Response for Detected Rogue Certificates

 If a rogue certificate is found:

o Revoke it immediately.

o Update systems to trust only valid certificates.

o Investigate the source of the rogue certificate issuance.

13
14