Section 5.4: Advanced Evidence Recovery Flashcards
Name the four wiping tools adversaries may use for anti-forensics
Sdelete, Eraser, Bleachbit, and BCWipe.
What is Sdelete and how can I track it?
It is a Microsoft signed tool. Ways to track it is by looking into the journals by searching DataOverwrite with alphabetical letters, $I30, and prefetch to identify all the affected files by the tool.
BCWipe features specifically for file wiping
Wipe file slack, MFT records, directories, slack space inside drives, and temporary data inside the LogFile.
Where can track information that BCWipe was used?
On USNJournals and some LogFile data.
BCWipe process found inside USNJournal
BCWipe rewrites the file with random characters multiple times to delete MFT record. It then deletes it. It then creates a hidden directory named “~BCWipe.tmp” to overwrite the metadata on the parent root (5). It then creates many “SECRET.txt!!!” files to fill and replace the $I30 index of the parent directory of the file. It then creates a new parent directory named “BCW-DIR-NODES” for those text files and each of those files are renamed to dir1, dir2, etc. into that “BCW-DIR-NODES” directory. That parent directory then deletes itself. The remnants of this process is LOGFILEWIPER and SWP_INSBCB.tmp.
What executable can be found inside prefetch that indicates BCWIPE was completed?
INSBCBUS.exe-78A69D45.pf
What are some things the Eraser tool does not wipe? What does it wipe?
Journaling, the index, and MFT record completely, and Zone Identifiers. The Identifiers can carry URL information as well as the file that was wiped. It does wipe the file and its timestamps and does so by wiping the file seven times.
What does Cyper.exe do and what are some indicators that it was executed?
It is meant to encrypt data but can wipe the original data before encrypting it. Indicators include seeing [/w] and a directory in the journals named “EFSTMPWP”.
Name a few tools meant to wipe registries. What areas do adversaries tend to wipe on the registry?
CCleaner and BleachBit. Adversaries will go for keyword searches like WordWheelQuery, UserAssist, ComDlg32, and RecentDocs.
What tool can I use to find deleted registry records? How can they be recovered? What gets recovered?
Registry Explorer. To recover data, check VSS files and registry transactional logs. Things that can be recovered are: keys, values, and timestamps.
What is %COMSPEC%?
A command use to obfuscate scripts such as ones that are placed inside the registry hive.
What is a good method to find base64 scripts when using Registry Explorer?
Do a find search and check mark all values including the slack. Put byte size to 512 and base64 size to 50 as a starting point. Increase or decrease to adjust.
Name and briefly explain the two methods to recover files.
Metadata method: basically retrieving files that are deallocated and haven’t been overwritten.
Carving method: Retrieving files through file signatures if indeed they have been overwritten. The carving tool searches starting signature and carves until it finds a footer.
Name a few files of interest when carving files.
LNK, prefetch, recycle bin and executable files are of interest. Also look for exfil files.
What tools can I use to recover metadata by means of the metadata method?
Icat to get deleted files individually or use tsk_recover to extract all unallocated files.