Part of me wanted to do Malware Analysis and finding unknown evil in the enterprise by investigating interesting traffic, processes, communications and just plain dumb luck to find something. Then utilizing multiple methodologies and utilities to track down the infection and remove it.
Then I read an article on Windows 8 Beta and Jump Lists (Thanks Harlan) and that got me to thinking a little more on the subject of finding out what I can in that OS in regards to the Jump List and Registry. .
A few minutes ago I submitted my initial proposal to my professor on my work. Hopefully I will be presenting this at BSides Iowa in 2012..
Proposal that was Sent:
One of the most difficult processes of
digital forensics is understanding how new technology interacts with current
technology and how we can utilize current Digital Forensics technologies and
processes to recover and find information hidden. Recently Microsoft released
the Developer Beta Preview of Windows 8, with this release Microsoft has added
some features to the Operating System that will present some interesting
complications to digital forensics.
The first thing I plan to look at is the
way that Windows 8 handles the Registry Hive Traditionally the registry has been
known to house a myriad of useful information for the digital forensic
investigator. This information has contained but not limited to; removable
media that is plugged into the device, current configuration of the machine
that the operating system is installed on, recently accessed files by users,
orphaned artifacts of uninstalled software, as well as potential identifiers of
malware infection.
To analyze the Registry data variances
from Windows 7 to Windows 8 it will require utilizing multiple virtual machines
to create useable environements and the creation of a baseline file to compare
the changes against. Once these baselines have been established then we can
compare the registry files between the two versions and see what is different
between Windows 7 and Windows 8. We will then install various software versions
and compare the changes to the registry from these installs across the
environment. After we have installed our software we will uninstall them and
compare the registries to see what artifacts have been left behind because of
the uninstall process. This will allow us to see what Registry entries remain
across both versions. Finally we will infect both virtual machines with malicious
code to see how the registries handle malware infection across both versions of
the tested windows operating systems.
The second thing I intend to look at is
the Jump Lists. This was a new artifact that was found in Windows 7. The Jump
List allows quick access to recently accessed files, or most frequently access
files[1].
There are other capabilities in the jump lists in Windows 7 that should carry
over. From my initial look at the Windows 8 operating system it appears that
you can customize the jump lists. I am interested to see if customizing it to a
small jump list amount, if there is more stored in the registry.
In investigating the Jump Lists it will
require setting limitations on the data retained by the jump lists and seeing
how the operating system reacts. We will need to understand how these changes
would impact the registry and the jump list if the jump list is turned off, and
told to remember nothing, told to remember less, or if the limit is increased.
This will require analyzing the registry as we make the changes to the jump
list to compare against the baseline and the modified versions.
By understanding how the registry
behaves within the Windows 8 operating system this will allow us to know what
tools currently can handle the new operating system, what tools would need to
be modified and what options are missing from the current tool sets that are
deployed by digital forensic investigators. This research will give us a chance
to understand the changes that we are going to be faced with as well as share
our knowledge with the others in the field.
No comments:
Post a Comment