Final Pass – ShimCache, ShellBags & Prefetch
Before closing off, the decision was made to take a look at
the ShimCache, ShellBags and Prefetch to see if there was information there
which may contribute to Alyssa’s concerns.
To take a look at the ShimCache the following command was
executed “vol.py --filename=./ALYSSA-PC-20150905-001215.raw --verbose
--kdbg=0xf6fc0001a0f0 --dtb=0x187000 --profile=Win7SP1x64 shimcache >
shimcache-results.txt”. Next the command “cat shimcache-results.txt” was
executed. While generally things “seemed normal”, two entries which stood out
to me were “MSID117.tmp” which ran from “C:\Windows\Installer” and “setup.exe”
being executed from “C:\windows\TEMP\CR_50612”. According to (productforums.google.com,
n.d.)
this may be related to google update services and may have contributed to the
slowness she experienced. The fact that there are other entries related to
google around the same time, suggests that this may actually be related to
Google products.
Figure 16:Above shows data from shimcache
Peering into the ShellBags to see if anything stands out,
did not produce anything that made me want to look further.
To look at the ShellBags, the following command was used “vol.py
--filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0
--dtb=0x187000 --profile=Win7SP1x64 shellbags > shellbag-result.txt”. Next the command “cat
shellbag-result.txt” was executed.
Finally, like the ShellBags a review of the Prefectch data
did not produce anything which cause me to want to look further. To view the
information in Prefetch, the following command was executed “vol.py
--filename=./ALYSSA-PC-20150905-001215.raw --verbose --kdbg=0xf6fc0001a0f0
--dtb=0x187000 --profile=Win7SP1x64 prefetchparser >
prefetchparser-results.txt”. Next the command “cat prefetchparser-results.txt”
was executed.
At this point it was decided to end this analysis as after
the efforts which has been extended so far, I have been unable to say with any
certainty that this computer is infected.
Conclusion
While initially
Alyssa mentioned the computer was running slow and that she thinks she may be
infected with a virus, from the memory dump I extracted of her machine I was
unable to find any evidence to support her theory from the processes and or
network connections which began my initial investigation. More importantly,
there can be numerous reasons why I was unable to detect any viruses but simply
from the data I examined I was unable to find anything.
References
Limelight Networks Inc. (2014). Annual Report
2014. Tempe, AZ 85281: Limelight Networks Inc. Retrieved from
investors.limelightnetworks.com: http://investors.limelightnetworks.com/
productforums.google.com. (n.d.). Google Chrome
Help Forum. Retrieved from productforums.google.com: https://productforums.google.com/forum/#!topic/chrome/FZDBl2Jzkok
support.kaspersky.com. (2015, September 17). How
to get a dump file of AVP.EXE process for Kaspersky Lab products.
Retrieved from support.kaspersky.com:
http://support.kaspersky.com/general/dumps/8006
Appendix
Appendix A: Examiner Workstation Specifications
·
Computer Name: securitynik
·
OS Name: Ubuntu
·
OS Version: 14.04.3 LTS
·
System Make/Model: Virtual Machine
·
System Serial Number: 001122345
·
Time Zone: GMT-4
·
System date/time is consistent with the time
zone listed above, as verified by http://nist.time.gov/.
Appendix B: Tools
·
dumpit.exe - v1.3.2.20110401
·
fciv.exe – v2.05
·
UNRAR 5.00 beta 8 freeware
·
Volatility Framework 2.4
·
foremost 1.5.7
·
ClamAV - v0.98.7
·
geoiptool
·
grep – v2.16
·
WinRar 5.11 beta
·
Cat
·
more
Appendix D: Evidence Verification
Table 2 outlines the hashes obtained throughout the evidence
verification process. md5sum was used to calculate MD5 hashes.
Designation
|
Filename
|
MD5 Hash
|
Description
|
PRE-ANALYSIS
|
|||
Evidence Created
|
ALYSSA-PC-20150905-001215.rar
|
88f81f7990fb1b2e18080b6ca4744433
|
Image created
|
Evidence Examined
|
ALYSSA-PC-20150905-001215.rar
|
88f81f7990fb1b2e18080b6ca4744433
|
Image examined
|
POST-ANALYSIS
|
|||
Evidence Created
|
ALYSSA-PC-20150905-001215.rar
|
88f81f7990fb1b2e18080b6ca4744433
|
Image created
|
Evidence Examined
|
ALYSSA-PC-20150905-001215.rar
|
88f81f7990fb1b2e18080b6ca4744433
|
Image examined
|
Table 2: Evidence Verification Table
Other posts in this series
Volatility Memory Forensics - Investigation a potential virus situation - Part1
Volatility Memory Forensics - Investigation a potential virus situation - Part2
Volatility Memory Forensics - Investigation a potential virus situation - Part3
Volatility Memory Forensics - Investigation a potential virus situation - Part4
Volatility Memory Forensics - Investigation a potential virus situation - Part5