I po wyzwaniu II

Pokażę jeszcze, że rzeczywiście artefakty były proste do znalezienia.

Z timeline zmian na twardym dysku (bez uwzględniania plików usuniętych) otrzymuje się coś takiego (sortowanie po CreationTime):

Name,LastWriteTime,CreationTime,LastAccessTime YouTube – Sergio Mendes & Brasil 66 – Mas Que Nada.html,2008-07-22 20:10:02,2008-07-22 20:10:02,2008-08-04 17:36:14 developersguide.pdf,2008-07-22 20:07:36,2008-07-22 20:07:24,2008-08-04 17:36:17 Desktop.ini,2008-07-22 20:01:21,2008-07-22 20:01:21,2008-08-04 17:36:20 Sample Pictures.lnk,2008-05-01 13:25:11,2008-07-22 20:01:21,2008-08-04 17:36:20 Desktop.ini,2008-07-22 20:01:21,2008-07-22 20:01:21,2008-08-04 17:36:20 Myfile.doc,2008-05-01 13:48:23,2008-07-22 20:01:21,2008-08-04 17:36:17 desktop.ini,2008-07-22 20:01:21,2008-07-22 20:01:21,2008-08-04 17:36:17 Sample Music.lnk,2008-05-01 13:25:11,2008-07-22 20:01:21,2008-08-04 17:36:20 tshark.exe,2008-07-22 19:54:47,2008-07-22 19:54:47,2008-08-04 17:36:16 MyTool.exe,2008-07-22 19:53:39,2008-07-22 19:53:39,2008-08-04 17:36:14 editindexsave.class.php,2008-07-22 19:42:16,2008-07-22 19:43:27,2008-08-04 17:36:19 editstatement.class.php,2008-07-22 19:42:17,2008-07-22 19:43:27,2008-08-04 17:36:19 editkeysave.class.php,2008-07-22 19:42:16,2008-07-22 19:43:27,2008-08-04 17:36:19 editsentencesave.class.php,2008-07-22 19:42:16,2008-07-22 19:43:27,2008-08-04 17:36:19 editsentence.class.php,2008-07-22 19:42:16,2008-07-22 19:43:27,2008-08-04 17:36:19 editkey.js,2008-07-22 19:42:16,2008-07-22 19:43:27,2008-08-04 17:36:19 getdbdirectories.class.php,2008-07-22 19:42:17,2008-07-22 19:43:27,2008-08-04 17:36:19 edit_key.class.php,2008-07-22 19:42:16,2008-07-22 19:43:27,2008-08-04 17:36:19 (...)

Jak widać na tej liście znalazły się pliki:

Dodatkowo pliki PDF mają charakterystyczny nagłówek: %25PDF-1.4 (no, z dokładnością do wersji). Wyszukanie tego stringu w obrazie dysku zwraca następujące rezultaty:

22310610: $this->out('%25PDF-1.3'); 22324471: $this->out('%25PDF-'.$this->PDFVersion); 28275968: $this->out('%25PDF-'.$this->PDFVersion); 64880640:%25PDF-1.4 65634304:%25PDF-1.4 65992192:%25PDF-1.4 66479104:%25PDF-1.4 89541330: $this->out('%25PDF-1.3'); 89555191: $this->out('%25PDF-'.$this->PDFVersion); 95506688: $this->out('%25PDF-'.$this->PDFVersion);

Widać, że są na dysku cztery dokumenty PDF (znaleziony został string %25PDF-1.4). Wystarczy je teraz znaleźć. Liczba na początku to offset w pliku, pod którym występują. Na podstawie informacji o strukturze dysku można znaleźć pliki (lub pozostałości), do których należą znalezione offsety:

$fsstat hdb1-img.dd FILE SYSTEM INFORMATION —————————————————————— File System Type: NTFS Volume Serial Number: D2F836EDF836CF89 OEM Name: NTFS Volume Name: New Volume Version: Windows XP

METADATA INFORMATION —————————————————————— First Cluster of MFT: 64239 First Cluster of MFT Mirror: 96358 Size of MFT Entries: 1024 bytes Size of Index Records: 4096 bytes Range: 0 – 5849 Root Directory: 5

CONTENT INFORMATION —————————————————————— Sector Size: 512 Cluster Size: 512 Total Cluster Range: 0 – 192715 Total Sector Range: 0 – 192715

$AttrDef Attribute Values: $STANDARDINFORMATION (16) Size: 48-72 Flags: Resident $ATTRIBUTELIST (32) Size: No Limit Flags: Non-resident $FILENAME (48) Size: 68-578 Flags: Resident,Index $OBJECTID (64) Size: 0-256 Flags: Resident $SECURITYDESCRIPTOR (80) Size: No Limit Flags: Non-resident $VOLUMENAME (96) Size: 2-256 Flags: Resident $VOLUMEINFORMATION (112) Size: 12-12 Flags: Resident $DATA (128) Size: No Limit Flags: $INDEXROOT (144) Size: No Limit Flags: Resident $INDEXALLOCATION (160) Size: No Limit Flags: Non-resident $BITMAP (176) Size: No Limit Flags: Non-resident $REPARSEPOINT (192) Size: 0-16384 Flags: Non-resident $EAINFORMATION (208) Size: 8-8 Flags: Resident $EA (224) Size: 0-65536 Flags: $LOGGEDUTILITY_STREAM (256) Size: 0-65536 Flags: Non-resident

Czyli w tym wypadku należy podzielić przez 512:

64880640:%25PDF-1.4

$ifind -d 126720 hdb1-img.dd 5659-128-4

$istat hdb1-img.dd 5659 MFT Entry Header Values: Entry: 5659 Sequence: 5 $LogFile Sequence Number: 8045520 Not Allocated File Links: 2

$STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Created: Tue Jul 22 20:13:49 2008 File Modified: Tue Jul 22 20:13:49 2008 MFT Modified: Tue Jul 22 20:13:49 2008 Accessed: Tue Jul 22 20:13:49 2008

$FILE_NAME Attribute Values: Flags: Archive Name: osstmm.en.2.1.pdf Parent MFT Entry: 4961 Sequence: 1 Allocated Size: 0 Actual Size: 0 Created: Tue Jul 22 20:13:49 2008 File Modified: Tue Jul 22 20:13:49 2008 MFT Modified: Tue Jul 22 20:13:49 2008 Accessed: Tue Jul 22 20:13:49 2008

Attributes: Type: $STANDARDINFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILENAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 100 Type: $DATA (128-4) Name: $Data Non-Resident size: 660870

65634304:%25PDF-1.4

$ifind -d 128192 hdb1-img.dd 5679-128-4 $istat hdb1-img.dd 5679 MFT Entry Header Values: Entry: 5679 Sequence: 3 $LogFile Sequence Number: 7990515 Not Allocated File Links: 2

$STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Created: Tue Jul 22 20:07:36 2008 File Modified: Tue Jul 22 20:07:36 2008 MFT Modified: Tue Jul 22 20:07:36 2008 Accessed: Tue Jul 22 20:07:36 2008

$FILENAME Attribute Values: Flags: Archive Name: usersguide.pdf.svn-base Parent MFT Entry: 5672 Sequence: 58221 Allocated Size: 0 Actual Size: 0 Created: Tue Jul 22 20:07:36 2008 File Modified: Tue Jul 22 20:07:36 2008 MFT Modified: Tue Jul 22 20:07:36 2008 Accessed: Tue Jul 22 20:07:36 2008

Attributes: Type: $STANDARDINFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILENAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 114 Type: $DATA (128-4) Name: $Data Non-Resident size: 205429

65992192:%25PDF-1.4

$ifind -d 128891 hdb1-img.dd 5845-128-4

$istat hdb1-img.dd 5845 MFT Entry Header Values: Entry: 5845 Sequence: 2 $LogFile Sequence Number: 8022651 Allocated File Links: 2

$STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Created: Tue Jul 22 20:07:24 2008 File Modified: Tue Jul 22 20:07:36 2008 MFT Modified: Tue Jul 22 20:09:36 2008 Accessed: Tue Jul 22 20:07:36 2008

$FILENAME Attribute Values: Flags: Archive Name: developersguide.pdf Parent MFT Entry: 5655 Sequence: 1 Allocated Size: 0 Actual Size: 0 Created: Tue Jul 22 20:07:24 2008 File Modified: Tue Jul 22 20:07:36 2008 MFT Modified: Tue Jul 22 20:07:36 2008 Accessed: Tue Jul 22 20:07:36 2008

Attributes: Type: $STANDARDINFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILENAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 106 Type: $DATA (128-4) Name: $Data Non-Resident size: 458889

66479104:%25PDF-1.4

$ifind -d 129842 hdb1-img.dd 5848-128-4

$istat hdb1-img.dd 5848 MFT Entry Header Values: Entry: 5848 Sequence: 11380 $LogFile Sequence Number: 8017622 Not Allocated File Links: 2

$STANDARD_INFORMATION Attribute Values: Flags: Archive Owner ID: 0 Created: Tue Jul 22 20:07:24 2008 File Modified: Tue Jul 22 20:07:36 2008 MFT Modified: Tue Jul 22 20:07:36 2008 Accessed: Tue Jul 22 20:07:36 2008

$FILENAME Attribute Values: Flags: Archive Name: usersguide.pdf Parent MFT Entry: 5655 Sequence: 1 Allocated Size: 0 Actual Size: 0 Created: Tue Jul 22 20:07:24 2008 File Modified: Tue Jul 22 20:07:36 2008 MFT Modified: Tue Jul 22 20:07:36 2008 Accessed: Tue Jul 22 20:07:36 2008

Attributes: Type: $STANDARDINFORMATION (16-0) Name: N/A Resident size: 72 Type: $FILENAME (48-3) Name: N/A Resident size: 90 Type: $FILE_NAME (48-2) Name: N/A Resident size: 96 Type: $DATA (128-4) Name: $Data Non-Resident size: 205429

Tak się składa, że akurat Metasploit znam, więc te pliki (i fakt użycia SVN) skojarzył mi się z tym narzędziem, którego pozostałości można znaleźć dość łatwo. Na przykład wyszukując słowa metasploit w obrazie dysku.

Całość można było równie łatwo znaleźć korzystając choćby z ProDiscover Basic. Muszę też kiedyś z bliższa się przyglądnąć PyFlag.

Oryginał tego wpisu dostępny jest pod adresem I po wyzwaniu II

Autor: Paweł Goleń