Sunday, November 1, 2015

Volatility Memory Forensics - Investigation a potential virus situation - Part 5

Part 1 | Part 2 | Part 3 | Part 4


Final Pass – ShimCache, ShellBags & Prefetch
Before closing off, the decision was made to take a look at the ShimCache, ShellBags and Prefetch to see if there was information there which may contribute to Alyssa’s concerns.

To take a look at the ShimCache the following command was executed “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 shimcache > shimcache-results.txt”. Next the command “cat shimcache-results.txt” was executed. While generally things “seemed normal”, two entries which stood out to me were “MSID117.tmp” which ran from “C:\Windows\Installer” and “setup.exe” being executed from “C:\windows\TEMP\CR_50612”. According to (productforums.google.com, n.d.) this may be related to google update services and may have contributed to the slowness she experienced. The fact that there are other entries related to google around the same time, suggests that this may actually be related to Google products.


Figure 16:Above shows data from shimcache



Peering into the ShellBags to see if anything stands out, did not produce anything that made me want to look further.
To look at the ShellBags, the following command was used “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 shellbags >  shellbag-result.txt”. Next the command “cat shellbag-result.txt” was executed.

Finally, like the ShellBags a review of the Prefectch data did not produce anything which cause me to want to look further. To view the information in Prefetch, the following command was executed “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 prefetchparser > prefetchparser-results.txt”. Next the command “cat prefetchparser-results.txt” was executed.

At this point it was decided to end this analysis as after the efforts which has been extended so far, I have been unable to say with any certainty that this computer is infected.

Conclusion

While initially Alyssa mentioned the computer was running slow and that she thinks she may be infected with a virus, from the memory dump I extracted of her machine I was unable to find any evidence to support her theory from the processes and or network connections which began my initial investigation. More importantly, there can be numerous reasons why I was unable to detect any viruses but simply from the data I examined I was unable to find anything.


References

Limelight Networks Inc. (2014). Annual Report 2014. Tempe, AZ 85281: Limelight Networks Inc. Retrieved from investors.limelightnetworks.com: http://investors.limelightnetworks.com/
productforums.google.com. (n.d.). Google Chrome Help Forum. Retrieved from productforums.google.com: https://productforums.google.com/forum/#!topic/chrome/FZDBl2Jzkok
support.kaspersky.com. (2015, September 17). How to get a dump file of AVP.EXE process for Kaspersky Lab products. Retrieved from support.kaspersky.com: http://support.kaspersky.com/general/dumps/8006


Appendix 

Appendix A: Examiner Workstation Specifications

·         Computer Name: securitynik
·         OS Name: Ubuntu
·         OS Version: 14.04.3 LTS
·         System Make/Model: Virtual Machine
·         System Serial Number: 001122345
·         Time Zone: GMT-4
·         System date/time is consistent with the time zone listed above, as verified by http://nist.time.gov/.


Appendix B: Tools

·         dumpit.exe - v1.3.2.20110401
·         fciv.exe – v2.05
·         UNRAR 5.00 beta 8 freeware
·         Volatility Framework 2.4
·         foremost 1.5.7
·         ClamAV - v0.98.7
·         geoiptool
·         grep – v2.16
·         WinRar 5.11 beta
·         Cat
·         more


Appendix D: Evidence Verification

Table 2 outlines the hashes obtained throughout the evidence verification process. md5sum was used to calculate MD5 hashes.

Designation
Filename
MD5 Hash
Description
PRE-ANALYSIS
Evidence Created
ALYSSA-PC-20150905-001215.rar
88f81f7990fb1b2e18080b6ca4744433
Image created
Evidence Examined
ALYSSA-PC-20150905-001215.rar
88f81f7990fb1b2e18080b6ca4744433
Image examined
POST-ANALYSIS
Evidence Created
ALYSSA-PC-20150905-001215.rar
88f81f7990fb1b2e18080b6ca4744433
Image created
Evidence Examined
ALYSSA-PC-20150905-001215.rar
88f81f7990fb1b2e18080b6ca4744433
Image examined
Table 2: Evidence Verification Table


Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5