Wednesday, October 27, 2010

Sniper Forensics 2.0 Tools, Links, and Commands I figured that there would be a lot of questions about the tools I use and the command syntax that I covered in SF2. There is obviously a LOT I was not able to cover due to time constraints, so if anyone has any specific questions about which tools do what, how to use them, and how to interpret the output, please let me know and I will create a FAQ blog post.

Thank you for attending my talk! I hope you get out of it as much I put into it!

Happy Hunting!

F-Response (
Memoryze (
Audit Viewer (
UnxUtils (
Grep (
TextPad (
Case Notes (
The Sleuth Kit (
Log2Timeline (
SIFT Workstation (
AnalyzeMFT (
RegRipper (
RipXP (
FTK Imater 3.0 (

Use these commands to rip registry hives.
C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\SAM –f SAM > c:\cases\ripped\systemY_sam_ripped.txt

C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\system –f System> c:\cases\ripped\systemY_system_ripped.txt

C:\tools\RegRipper\rip.exe –r c:\cases\customerX\registry\ntuser.dat –f ntuser> c:\cases\ripped\systemY_ntuser.dat.userX_ripped.txt

Use these commands to create a bodyfile and timeline. If you want a more detailed explanation of how to generate timelines, read my blog posts about timeline creation.

C:\tools\TSK\fls –m ‘C:/’ –f ntfs –r \\.\F: > c:\cases\customerX\timelines\systemY_bodyfile

Perl C:\tools\TSK\ –d –b C:\cases\customerX\timelines\systemY_bodyfile\systemY_timeline.csv

You can add logs to your bodyfile with Log2Timeline
C:\>Perl C:\Perl\bin\Log2timeline –t >> c:\cases\customerX\timelines\systemY_bodyfile
You can hives and NTUSER.dat files to your bodyfile with regtime
C:\>Perl C:\tools\bin\ –m HKLM/system –r c:\cases\customerX\hives\system >> \c:\cases\customerX\timelines\systemY_bodyfile

Search for suspect keywords
C:\cases\customerX\ripped>strings *.txt | grep –i
C:\cases\customerX\timeline>strings *.csv | grep –i

Search for suspect timeframe
C:\cases\customerX\ripped>strings *.txt | grep –i
C:\cases\customerX\timeline>strings *.csv | grep –i

Know how to stack your searches! CRITICAL!!!

Grep –i | grep –i
Grep –i | grep –i | grep –i

Sunday, October 24, 2010

SecTor 2010 - Debuting SF2

I will be debuting the second version of Sniper Forensics, titled, "Target Acquisition" at SecTor in Toronto, Ontario, Canada on October 27th. It's a great conference and I couldn't be more excited!

Here are some quotes about what others are saying about SF2!

“As environments continue to grow in size and complexity, incident response teams entrenched in the “image everything” methodology will find themselves not able to understand the situation as fast as the threat is evolving within a target environment. Adopting the Sniper Forensics Methodology, will decrease the cost of the investigations while providing results many times faster over traditional approaches when applied to modern environments.”

- Nicholas Percoco
Senior Vice President, Trustwave SpiderLabs


“If you have a specific goal, you are much more likely to achieve it. Knowing what you want out of an investigation, before you start, will help you know when you're finished.”

- Jesse Kornblum
Computer Forensics Research Guru, Kyrus Technology


"Using F-Response as part of the "Sniper Forensics" model is the perfect logical extension of our original mission. Get answers, not just information."

- Matt Shannon
Founder, F-Response


“'Sniper Forensics: Target Acquisition' walks up to an analyst and slaps him right in the face! Here are targeted tools and techniques, straight from successful field ops, that every analyst needs to know! Once you've defined your target, go grab the data you need, and optimize your time and resources to get the job done!”

- Harlan Carvey
Vice President of Advanced Technical Projects, Terremark Worldwide
Author of “Windows Forensic Analysis 2nd Edition”
Author of the Blog, “”

Saturday, October 23, 2010

The “Not So” Perfect Keylogger

I have seen a number of cases lately in which the method of data aggregation on Point of Sale Terminals was the use of Blazing Tools Perfect Keylogger. This is a commercial tool that is used to track the computer use of individuals within a family or a company. This blog is not about the legality or ethics of this tool, but rather about the technical specifics when looking for this tool during a compromise.

Below, is a timeline excerpt from a case I was working recently in which I saw Perfecet Keylogger running natively (ie…under the default naming convention). It should be noted, that the means of infiltration in 99% of these cases in an open remote administration port and default administrative passwords. This gave the intruders an easy path onto the target systems, and the credentials necessary to install the malware.

Pay special attention if you will, to the file names besides bpk.exe, specifically the letters after the “k” in “bpk”.

F:\timelines>strings _timeline.csv | grep -i bpk
Fri Aug 21 2009 02:42:56,499712,m..b,r/rrwxrwxrwx,0,0,13919-128-3,'C:/'/WINDOWS/system32/bpk.exe
Fri Aug 21 2009 02:42:56,19456,m..b,r/rrwxrwxrwx,0,0,13920-128-3,'C:/'/WINDOWS/system32/bpkr.exe
Fri Aug 21 2009 02:42:56,19968,m..b,r/rrwxrwxrwx,0,0,13922-128-3,'C:/'/WINDOWS/system32/bpkhk.dll
Fri Sep 04 2009 01:12:50,188895,ma.b,r/rrwxrwxrwx,0,0,14008-128-3,'C:/'/WINDOWS/security/bpk.chm
Mon Oct 19 2009 07:02:03,623,ma.b,r/rrwxrwxrwx,0,0,13996-128-1,'C:/'/WINDOWS/system32/bpk.dat
Sat Aug 21 2010 02:43:06,22586,...b,r/rrwxrwxrwx,0,0,13923-128-4,'C:/'/WINDOWS/Prefetch/

As you can see, some of the key file names associated with Perfect Keylogger are: bpk.exe, bpkr.exe, bpkhk.dll, bpk.dat, and the configuration file not listed in the first timeline excerpt, pk.bin. These files are normally found in the C:\Windows\System32 directory, but can really run from any custom location, as indicated by the second timeline excerpt. When it’s seen in a RAM dump, it looks like this:

Below is a second example, in which the naming convention has been changed to confuse the would be investigator. Look at the letters after the “t” in “wuault.exe”. Do they look familiar? They should!

F:\timelines>strings timeline.csv | grep -i wuault
Fri Sep 04 2009 01:34:51,438272,m..b,r/rrwxrwxrwx,0,0,14055-128-3,'C:/'/WINDOWS/security/wuault.exe
Fri Sep 04 2009 01:34:51,24576,m..b,r/rrwxrwxrwx,0,0,14056-128-3,'C:/'/WINDOWS/security/wuaulthk.dll
Fri Sep 04 2009 01:34:51,40960,m..b,r/rrwxrwxrwx,0,0,14059-128-3,'C:/'/WINDOWS/security/wuaultwb.dll
Fri Sep 04 2009 01:34:51,215040,m..b,r/rrwxrwxrwx,0,0,14060-128-3,'C:/'/WINDOWS/security/wuaulti.dll
Fri Sep 04 2009 01:34:51,7680,m..b,r/rrwxrwxrwx,0,0,14061-128-3,'C:/'/WINDOWS/security/wuaultr.exe
Sat Sep 04 2010 05:44:06,16674,...b,r/rrwxrwxrwx,0,0,13976-128-4,'C:/'/WINDOWS/Prefetch/

When captured in a RAM dump, it looks like this:

Notice that the path is C:\windows\security. Also of note, look at the timeline above…see the “birth” date in my timeline? It says “Fri Aug 21 2009 02:42:56”, but the first prefetch file shows a timestamp of, “Sat Aug 21 2010 02:43:06”. About 10 seconds later…exactly one year later? What’s up with that? Well…let me tell you, but first, let’s quickly go over the Master File Table ($MFT), specifically the Standard_Information ($S_I), and File_Name ($F_N) attributes.
REAL basically, we all know that the $MFT holds information about the files on the disk. Well, one of those attributes, the $S_I, is accessible by the operating system (OS) and the user. So, what…that means that they can be changed, accessed, and yes…stomped. BUT, the $F_N attribute is not touched by anything except the kernel. So what does that mean? It means no modifications by the OS or the user…ie…no stomping.

So, Harlan sent me a Perl script he wrote which goes through the $MFT and extracts and parses the $S_I and $F_N attributes. So with our friend bpk.exe, it would look like this:

13919 FILE 14 1 0x38 4 1
0x0010 96 0 0x0000
M: Fri Aug 21 07:42:56 2009 Z
A: Tue Oct 19 16:24:13 2010 Z
C: Tue Oct 19 16:12:26 2010 Z
B: Fri Aug 21 07:42:56 2009 Z ← This is the “modified” birth date of the file on the system.
0x0030 104 0 0x0000
FN: bpk.exe Parent Ref: 847 Parent Seq: 1
M: Sat Aug 21 07:42:56 2010 Z
A: Sat Aug 21 07:42:56 2010 Z
C: Sat Aug 21 07:42:56 2010 Z
B: Sat Aug 21 07:42:56 2010 Z ← This is the actual “birth” date of the file on the system.
0x0080 88 1 0x0000

And…it matches our Prefetch file, which further supports our finding that the timestamps have been modified. So be wary…if you come across Perfect Keylogger in a case, it will be offset by one year – I have seen this to be true in every Perfect Keylogger case I have worked, and it seems to be done as part of the install script. Now, while I have seen the binaries and associated dlls renamed, I have not seen the dump file (bpk.dat) or the configuration file (pk.bin) renamed. After downloading a trial version of Perfect Keylogger, I can see that you can change the output file, and path, so it’s possible…but like I said…just never seen it. I’m not certain the same can be said for the configuration file. I have tried several times unsuccessfully, so I think it may be hard coded into the program.

So if you try to open the bpk.dat, and the pk.bin they appear to be encrypted. Or are they? Through the efforts of the SpiderLabs Research Team, we found that they are NOT really encrypted, but rather encoded with a single xor key, 0xAA. So, when you use a simple xor script, against either one, you may get something that looks like this (since this was from a real case, I have modified the output, but the methods and the output format looks the same):

PK Password: "y0uv3b33np0wn3d"
License Name: ""
Email Enabled?: true
SMTP Server: ""
SMTP Port: 25
SMTP Username: "user"
SMTP Password: "p@ssw0rd"
Email Address: ""
FTP Enabled?: false
Hotkey Hex: keycode=0xdc modifier=0x07
Key-combo: SHIFT + CTRL + ALT + 6

So, this is great! You have the attacker’s email, the server he was using, his username and password! Better yet, you have the key-combo which is used to bring the Keylogger out of hidden mode. If the attacker wanted to use FTP instead of SMTP, you would see the same type of login information as you do for the SMTP example provided above. If you know that it’s running, but you don’t see the icon in the bottom of the screen, it’s in hidden mode. Simply use this key combination, and BAM, the icon will suddenly appear! Then, simply enter in the “PK Password” and you have access to the admin console of the keylogger! This configuration file will give you access to the time intervals in which the dump file is emailed or FTP’d. Pretty slick eh!

Now, it also uses the same xor to encode the dump file! So if you run the same xor script, you may see something that looks like this:

F:\ >cat bpk.dat.out
06-09-2010 03:22
BlazingTools Perfect Keylogger: Options
[Password captured: p@ssw0rd]
19-10-2010 10:53
19-10-2010 10:54
mkdir images
cd im
19-10-2010 10:56
mkdir vol

Nice! Note that if you don’t have any scripting-fu (Perl, Ruby, Python, etc) you can simply install the trial version of Perfect Keylogger in a vmimage, and use the “view the log” option to see the decoded versions of the logs.

Additionally, the only registry entries I have seen for Perfect Keylogger are in the UserAssist key of an ntuser.dat file, showing initial execution, and in the RUN key of the SOFTWARE hive, showing that it’s set to start up at reboot.

NTUSER.DAT – UserAssist Key
UEME_RUNPATH:C:\Documents and Settings\\Desktop\i_bpk2007.exe (3) ← Indicates execution of the installation binary.

Software Hive
C:\P15xx\DisableWriteCache.exe -s all
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
C:\WINDOWS\System32\bpk.exe ← Indicates that the keylogger will start each time the system boots.

So, if you are working on a case and you expect that you may have Perfect Keylogger, here are the key indicators of compromise:

Presence of:
• pk.bin, or bpk.dat (configuration or dump files)
• bpk.exe, wuault.exe, wuauclt.exe (running from the incorrect directory)
• binary and dlls timestopmed (check the $MFT)
• Entries in the ntuser.dat and SOFTWARE hives
• Active process running RAM with the same ending letters (as seen in the timeline example)

You can decode the configuration file and dump files with a simple xor, 0xAA key. Alternatively, you can use the demo version of the keylogger itself to open the dump file.

Good luck, and happy hunting!

Tuesday, October 12, 2010

Call for quotes

I will be delivering Sniper Forensics v2.0 - Target Acquisition at SecTor this month in Toronto, Canada. To add some down home flavor to the preso, I would like to issue a "call for quotes" to anyone who uses the Sniper Forensics methodology. I will use between 5 and 10 quotes depending on your may not use any! But please, if you have heard my talk or read about it, and use the SF methodology, please let me know what you think!