Through all my high school and college math classes, my teachers always taught me to step back after a problem was completed and ask if the answer made sense. What did this mean? It meant don't just punch numbers into the calculator, write the answer, and move on. It meant step back, review the problem, consider all the known information and ask, "Does the answer I came up with make sense?"
Although the above example is relatively simple, this little trick applied to more complicated math problems, and many times it helped me catch incorrect answers.
But what does this have to do with DFIR? I believe the same principle can be applied to investigations. When looking at data, sometimes stepping back and asking myself the question, "Does what I am looking at make sense?" has helped me locate issues I may not have otherwise caught.
I have had a least a couple of DFIR situations where using this method paid off.
You've got Mail...
I was working a case where a user had Mozilla Thunderbird for an email client. I parsed the email with some typical forensic tools and begin reviewing emails.
While reviewing the output, I noticed it seemed pretty sparse, even though the size of the profile folder was several gigs. This is where I stepped back and asked myself, does this make sense? It was a large profile, yet contained very few emails. This led to my research and eventual blog post on the Thunderbird MBOXRD file format. Many of the programs were just parsing out the MBOX format and not the MBOXRD format, and thus, missing lots of emails. Had I just accepted the final output of the program, I would have missed a lot of data.
All your files belong to us...
Many times I will triage a system either while waiting for an image to complete, or as an alternate to taking an image. This is especially useful when dealing with remote systems that need to be looked at quickly. Exporting out the MFT and other files such as the Event Logs and Registry files results in a much smaller data set than a complete image. These artifacts can then be used to create a mini-timeline so analysis can begin immediately (see Halan's post here for more details on creating mini-timelines).
To parse the MFT file into timeline format, I use a tool called Analyze MFT to provide a bodyfile. Once the MFT is in bodyfile format, I use Harlan Carvey's parse.pl to convert it into TLN format and add it into the timeline.
While working a case, I created timelines using the above method for several dozen computers. After the timelines were created, I grepped out various malware references from these timelines. While reviewing the results, I noticed many of the malware files had a file size of zero. Weird. I took a closer look and noticed ALL the malware files contained a file size of zero. Hmmm.. what did that mean? What are the chances that ALL of those files would have a zero file size??? Since the full disk images were not available, validateing this information with the actual files was not an option. But I stepped backed and asked myself, given what I knew about my case and how the malware behaved.. does that make sense?
So I decided to "check my work" and do some testing with Analyze MFT. I created a virtual machine with Windows XP and exported out the MFT. I parsed the MFT with Analyze MFT and began looking at the results for files with a zero file size.
I noticed right away that all the prefetch files had a file size of zero, which is odd. I was able to verify that the prefetch files sizes were in fact NOT zero by using other tools to parse the MFT, as well as looking at the prefetch files themselves in the VM. My testing confirmed that Analyze MFT was incorrectly reporting a file size of zero for some files.After the testing I reached out to David Kovar, the author of Analyze MFT, to discuss the issue. I also submitted a bug to the github page.
If I had not "checked my work" and assumed that the the file size of zero meant the files were empty, it could have led to an incorrect "answer".
So thanks to those teachers that ground the "does it make sense" check into my head, as it has proved to be a valuable tip that has helped me numerous times (more so then the Pythagorean Theorem...)
Mari,
ReplyDeleteExcellent post, and very timely.
It seems that too many folks...I'm not going to say "within the DFIR community", now that my use of the term "community" has been corrected...too many folks who appear to "do" forensics- and IR-related work blindly run tools and accept the output, and if something doesn't make sense, they simply walk away.
Checking your work...or seeking someone else that you trust to give it to you straight to check it for you...is the responsible thing to do.