Monday, May 7, 2012

Windows 8 - Refresh Excerpt

There has been some interesting things recently about Windows 8 Forensics and the research being done.I have cleaned up some of my research that I have been doing for my up coming talks and am publishing as short excerpt here. Since the information is longer than a normal blog, I have uploaded it as a PDF here.

Feed back and questions are welcomed. I will be updating this with my final research thesis, and slides as new information and understand comes about. 

Thank you.. 

Overview: 

Windows 8 introduces two new options for system recovery, these options are: Refresh Points and System Recovery. Within Refresh Point there are two options; you can utilize the default refresh point or a custom refresh point.

Both Refresh options can be utilized by Windows 8 to remove malicious files and corrupted entries into the operating system. When using Refresh it is important to understand that the operating system creates a Recovery Image that makes a backup of the Windows System Files. For the default recover these Windows System Files are from when Windows 8 was first installed. When the Custom Refresh option is used than the Windows System Files are from the date that the Custom Refresh was created, the Custom Refresh also will contain the desktop applications that you have installed. Refresh Images DO NOT contain your Metro-style apps, documents, personal settings or user profiles, this is because that information is preserved at the time you refresh your PC.

The System Recover option in Windows 8 will return the Operating system back to the factory default. While using the System Recover there will be options on Using Recover with Multiple Drives, and how personal files are removed. 

Tuesday, May 1, 2012

Tools in the Toolbox Mandiant Red Curtian:

** Some how this missed it's cycle date.. not sure how I confused a 2011 date with 2013. I will be doing some more analysis with Red Curtain this summer with malware and scoring to see if I can better understand it. This is my Initial Review of the tool.. ** 

I have decided in order for me to understand my tools that I plan to utilize for DFIR I will need to research them and provide analysis of what I can conclude from them.  The first up is Mandiant’s Red Curtian.  While I am aware that there are other reviews out there, I felt with my background, and career focus some more light might be shed on them.

MANDIANT Red Curtain is free software for Incident Responders that assists with the analysis of malware. MRC examines executable files (e.g., .exe, .dll, and so on) to determine how suspicious they are based on a set of criteria. It examines multiple aspects of an executable, looking at things such as the entropy (in other words, randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat "score." This score can be used to identify whether a set of files is worthy of further investigation.
The first impression of Red Curtain is favorable. The user interface is clean and well organized; there is not much to this application. You have the option to scan either a single file or a folder and all subfolders.

Lab Setup:
               
HP Elitebook,
                                Win 7, 8GB Ram, i5 Processor
Malware Being Analyzed: (Linked to Virus Total Results)
               
tlbinf3232.exe
               
mdhcp32.exe
Symantec Analysis:
               
Files Submitted
#
Filename
MD5
Determination
Signature Protection Name
RR Seq#
1
mdhcp32.exe
2FC9278067DC3BF99C964311B4796EA6
New Threat
125119
2
tlbinf3232.exe
2FC9278067DC3BF99C964311B4796EA6
New Threat
125119

Developer Notes:
mdhcp32.exe is a non-repairable threat. This file is contained in bad stuffs.zip.
tlbinf3232.exe is a non-repairable threat. This file is contained in bad stuffs.zip.


Mandiant Red Curtain Scan:
According to the following table, these items are typically not suspicious.


What I found most interesting is that a lot of my Incident Response Tools have a higher score then the malware tested against. The application Image Burn, and Unetbootin scored a Higher threat score (3.753+) then my malware did.


While I think that there is potential here, with my initial run of tests, relying on Red Curtain to alert me to a suspected piece of malware I would not advise.



Online Reviews: