Sunday, 27 November 2011

Cryptoscan: Fixed Windows Vista+ support

There’s been a minor update to the batch script that I’ve provided with Cryptoscan as previous version was limited to only work with versions of Windows supported by Volatility 1.3 beta. I know that to truly solve the problem I should have ported the module to Volatility 2.0 but I already tried it and I miserably failed. Anyone wants to help? ;>

The new batch script runs Cryptoscan using version 1.3 and then the other two modules (i.e. Strings and Modules) using version 2.0.

To get it working here are 3 simple steps:
1.       Extract 'Volatility-1.3_beta'.
2.       Extract 'Volatility-2.0.standalone' to the same folder as before.
3.       Extract 'Cryptoscan' to the same folder too (overwrite if asked).

You can run ‘Cryptoscan.cmd’ now and enjoy! ;)

If you have some problems getting it working then check my previous post or leave a comment.

PS. There's been a small change to the provided binaries. Instead of using GnuWin32, the batch script uses UnxUtils since they do exactly the same job and are smaller in size.

Tuesday, 22 November 2011

Compressed (and Encrypted) Alternate Data Streams

The technique of hiding data within NTFS Alternate Data Streams (aka ADS) has been widely documented and it isn’t something that could take a forensic investigator by surprise. Then about a month ago I came across an article with an extra-ordinary name – Stealth Alternate Data Streams and Other ADS Weirdness, which hinders certain tools from finding the ‘hidden’ streams. You can probably see where I’m going with this… today I read an article titled Detecting and Manipulating Compressed Alternate Data Streams in a Forensics Investigation, unfortunately there's no freely available copy of it, which describes another technique of hiding data.

The article explains that by compressing a file using WinRAR with an option for preserving NTFS streams turned on (Figure 1), which according to this post is the only archiver that supports this technique at the moment, we can evade some of the anti-virus scanners. I also tested it on 7-Zip and WinZip 16.0 but neither of them can handle file streams.

Figure 1. Preserving ADS.

The article, not surprisingly, uses VirusTotal to compare results of scanning the archive by different anti-virus engines. In October 2007, when the research was carried out, only four out of all the supported scanners detected the embedded malicious software. Bearing in mind that it was a few years ago, I couldn’t resist trying it out myself. I firstly created a text file with some random text and then appended a file with an EICAR-TEST file to it. Then I archived the file making sure it includes file streams, and scanned it with an anti-virus which was on my machine but it didn’t detect anything (I used F‑Secure Internet Security 2011 with today’s virus definitions).

Figure 2. The result of scanning a RAR archive with an EICAR-TEST file hidden in a file stream.

I was also curious about how would other anti-virus scanners cope so I uploaded the file to VirusTotal and the detection rate was only 37.2% (Figure 2). But it gets even better… you see, the other WinRAR’s NTFS option reads ‘save file security’. The article doesn’t cover this feature, but I decided to give it a go: I encrypted the file (with a stream) using the NTFS Encryption (aka EFS) feature and then archived it making sure that both of the WinRAR's NTFS options were selected. Guess what, the detection rate was 0% (Figure 3).

I opened the archive with WinRAR on different machine (VM with Windows XP SP3) and the file was in green indicating that it is compressed but when I unpacked it, because the user didn’t have the right encryption key, WinRAR skipped the streams. What was even more surprising, the file extracted without showing any errors what‑so‑ever. Just to clarify, the archive successfully extracts files with streams when opened by the user who created it. It indicates to me that for some weird reason WinRAR has different implementation of compressing encrypted files and their streams: it decrypts files and keeps them in "plain-text" unlike file streams which are stored encrypted.

Figure 3. The result of scanning a RAR archive with an encrypted file stream.

Let’s consider the implications of it. If a suspect had used a RAR archive to hide NTFS Encrypted files then unless the investigator tried to open the archive under the suspect’s account (e.g. using LiveView), or imported the suspect's encryption key on his investigation workstation (I’m not quite sure how and if it’s doable), then he’d have missed the streams. On the other hand, if the archive is suspiciously large compared to its content, it may be a clue to an investigator.

Update (21 Dec 2011): I decided to write a tool that would scan a hard drive for any RAR files to see if they contain any NTFS streams. Before I did it though, I tried again the above-mentioned  method with encrypted NTFS streams. As it turned out, I must have made a mistake when firstly testing this method because WinRAR has a bug which makes it skip NTFS streams of encrypted files. Thus, the 0% detection rate from VirusTotal (because the file wasn't included!).

Update (31 Jan 2012): I've contacted the team behind WinRAR about the issue and this is their response: "Sorry, WinRAR does not support encrypted streams now. It would require another approach like using ReadEncryptedFileRaw instead of BackupRead for encrypted files and it is not implemented. Maybe we'll do it in the future." So as one can infer, it is a known issue and may, or may not, be solved in the future.

Friday, 11 November 2011

File System Tunnelling

While reading through Harlan Carvey’s slides from PFIC 2011 about Introduction to Windows Forensics, I came across a term File System Tunnelling. A quick Google search directed me to Raymond Chen’s blog post titled The apocryphal history of file system tunnelling.

As I started reading, I immediately realised that I have heard about this concept before but up until then I didn’t know what it was. Without spoiling it for you, I won’t tell you exactly what it says, but I really liked the analogy of quantum mechanics and how the process of “short name saving” works.

Cutting long story short, even if you know what File System Tunnelling is but you don’t know what I’m talking about, go and give it a read!