Archive for July, 2013

analyzeMFT – ADS support added

The latest version of analyzeMFT is available on github. I’ve not pushed it out to Pypi and will hold off until I’m sure it is free of bugs due to this new work. The changes are:

Fixed parsing and printing of UTF-16 strings, removed unicodeHack stuff.

My original code took a brute force approach to parsing file names from the MFT records. What I did not know at the time was that they were UTF-16. While working on other things, I took the time to figure that out and replaced about 20 lines of kludge with one line of code.

Fixed printing of unicode strings to output files.

While figuring out how to read UTF-16, I figure out how to write UTF-8.

Added ADS support.

This is probably a work in progress but it seems to be working so I’ll push this out. Whenever analyzeMFT encounters a resident $DATA record, it stores a copy of the contents away for later use. If it encounters a named $DATA record, it does two things:

  • A duplicate of the parent record is created and the filename is changed to be <parent filename>:<ADS filename>.
  • All ADS records, parent and children, get a flag set in the new ADS column

So you might see:

/normal.txt Normal file
/file-w-ads.txt Normal file with ADS
/file-w-ads.txt:adsfile.txt The ADS file attached to file-w-ads.txt
/dir Directory
/dir:adsdir.txt The ADS file attached to dir
/file-w-large-ads.txt Normal file with ADS
/file-w-large-ads.txt:largeads.txt The (non-resident) ADS file attached to file-w-large-ads.txt
/file-w-2-ads.txt Normal file with two ADS files
/file-w-2-ads.txt:ads1.txt The first ADS file attached to file-w-2-ads.txt
/file-w-2-ads.txt:ads2.txt The second ADS file attached to file-w-2-ads.txt

All of the records would have a ‘Y’ in the ADS column to indicate that either they are an ADS file or they have an ADS file attached.

As always, please let me know if I broke anything….

Categories: analyzeMFT

Adventures in Powershell for IR

July 18, 2013 1 comment

So, I wanted to access locked registry hives. Simple enough using F-Response, but it devolves into various solutions that are not well supported after that. I came across one solution that was of particular interest from a response side but also from an attack side:

Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks

In short, it opens a read handle to the C volume, parses the NTFS structures, and reads the files directly thus bypassing all access controls and locks. You do need to be local admin to run it.

This is great for getting locked registry hives, or for remotely copying NTDS.dit without deploying hacker tools on the remote system. Bear in mind that the remote system needs to be running the WS-Management service. This is not running by default on our Windows 7 desktops, but the author mentioned that it is running by default on Windows Server 2012.

There are a number of niggling issues with getting PowerShell scripts to run. This article covers almost all of them nicely: Execution Policy

However, it didn’t cover one issue – what happens when you try to do:

Set-ExecutionPolicy RemoteSigned

and get a registry access error?

This post explains how to edit the registry directly.

Once you’ve worked your way through those issues, you can grab local and remote files to your heart’s content.