Even without the Windows Event Log records, I was able to build a time-based map of the intruder’s activities, showing what time of day they were active, files and resources they’d accessed, etc. Even though I could not see all of the data that I wanted to, there was more than enough data in the Registry to tell me when they were logged into the system and active (days and times), as well as other systems to which they connected. I’d tried to backtrack the intruder’s connections as they hopped from system to system, but they had a penchant for clearing the Windows Event Logs on some (albeit not all) systems. Additional information was extracted from the hibernation file through the use of the Volatility Framework, but the preponderance of artifacts extracted from the Registry clearly indicated that the RAT was installed and running on the system with the full knowledge (and involvement) of the user.Īs I’m writing this section of the book, I’m working (as part of my day job) on an examination in which an intruder had access to an infrastructure via domain administrator credentials and Terminal Services.
When the user’s employer requested that they turn in the system for examination, the user attempted to remove the RAT…in fact, artifacts in the Registry revealed that the last key in focus in the Registry Editor before it was closed by the user was the key alphabetically following the name with which the RAT was installed. In this particular case, Registry artifacts revealed that the RAT had been installed as a result of someone with physical access to the system plugging a USB thumb drive into the system (it was mounted as the E:\ volume) and launching an installer application. Further, this particular bit of malware is most often assumed to be installed via a “spearphishing” e-mail, in which the user is enticed to click on a link or malicious document, resulting in the installation of the RAT. This particular RAT variant is usually installed as a Windows service, allowing the intruder to access the system with privileges greater than that of the system administrator.
Often users and intruders will take steps to cover their tracks and remove indications of their activities without realizing that their interactions with the operating system (and often times, with applications) are being “recorded” automatically.įor example, I was examining a system about a year ago which had been found to be infected with a particular variant of a remote access Trojan (RAT). One of the things I really like about digging into the Registry is the amount of information that is available, often times even after a user or intruder has taken “antiforensics” steps in order to hide their activities. Harlan Carvey, in Windows Registry Forensics (Second Edition), 2016 Remnants
0 kommentar(er)
