Archive
analyzeMFT – ADS support added
The latest version of analyzeMFT is available on github. I’ve not pushed it out to Pypi and will hold off until I’m sure it is free of bugs due to this new work. The changes are:
Fixed parsing and printing of UTF-16 strings, removed unicodeHack stuff.
My original code took a brute force approach to parsing file names from the MFT records. What I did not know at the time was that they were UTF-16. While working on other things, I took the time to figure that out and replaced about 20 lines of kludge with one line of code.
Fixed printing of unicode strings to output files.
While figuring out how to read UTF-16, I figure out how to write UTF-8.
Added ADS support.
This is probably a work in progress but it seems to be working so I’ll push this out. Whenever analyzeMFT encounters a resident $DATA record, it stores a copy of the contents away for later use. If it encounters a named $DATA record, it does two things:
- A duplicate of the parent record is created and the filename is changed to be <parent filename>:<ADS filename>.
- All ADS records, parent and children, get a flag set in the new ADS column
So you might see:
| /normal.txt | Normal file |
| /file-w-ads.txt | Normal file with ADS |
| /file-w-ads.txt:adsfile.txt | The ADS file attached to file-w-ads.txt |
| /dir | Directory |
| /dir:adsdir.txt | The ADS file attached to dir |
| /file-w-large-ads.txt | Normal file with ADS |
| /file-w-large-ads.txt:largeads.txt | The (non-resident) ADS file attached to file-w-large-ads.txt |
| /file-w-2-ads.txt | Normal file with two ADS files |
| /file-w-2-ads.txt:ads1.txt | The first ADS file attached to file-w-2-ads.txt |
| /file-w-2-ads.txt:ads2.txt | The second ADS file attached to file-w-2-ads.txt |
All of the records would have a ‘Y’ in the ADS column to indicate that either they are an ADS file or they have an ADS file attached.
As always, please let me know if I broke anything….
Adventures in Powershell for IR
So, I wanted to access locked registry hives. Simple enough using F-Response, but it devolves into various solutions that are not well supported after that. I came across one solution that was of particular interest from a response side but also from an attack side:
Using PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File Locks
In short, it opens a read handle to the C volume, parses the NTFS structures, and reads the files directly thus bypassing all access controls and locks. You do need to be local admin to run it.
This is great for getting locked registry hives, or for remotely copying NTDS.dit without deploying hacker tools on the remote system. Bear in mind that the remote system needs to be running the WS-Management service. This is not running by default on our Windows 7 desktops, but the author mentioned that it is running by default on Windows Server 2012.
There are a number of niggling issues with getting PowerShell scripts to run. This article covers almost all of them nicely: Execution Policy
However, it didn’t cover one issue – what happens when you try to do:
Set-ExecutionPolicy RemoteSigned
and get a registry access error?
This post explains how to edit the registry directly.
Once you’ve worked your way through those issues, you can grab local and remote files to your heart’s content.
Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics 