RAT - forensic assistance

General technological topics without their own forum go here

RAT - forensic assistance

Post by limdis on Thu Apr 04, 2013 5:09 pm
([msg=74916]see RAT - forensic assistance[/msg])

Situation:
Win7 box accessed via RAT for approximately 4 hours entirely unchallenged or witnessed. Box was plug pulled afterwards.

Now:
Getting rid of the program is not an issue. What I want to do is be able to replay the last couple of hours that the computer was on. Or at the very least be able to tell what was done while the box was accessed (files copied, etc.). I'm already planning on analyzing network traffic as soon as the box is powered back up to see if I can flush out anything useful. I've got a bit of forensic experience under my belt but not enough to feel confident in this specific situation. Anyone here done anything like this before? I could use some tips.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1319
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: RAT - forensic assistance

Post by 0phidian on Thu Apr 04, 2013 6:32 pm
([msg=74919]see Re: RAT - forensic assistance[/msg])

I'm not an expert on forensics but...

It's usually a good idea to make a disk image of the drive, to prevent destruction of evidence(but if this is for fun it probably doesn't matter).

Log files should be located at "C:\System32\winevt\Logs\"
You can grab a copy of them from a live cd and open the up in event viewer on another PC.
User avatar
0phidian
Poster
Poster
 
Posts: 266
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: RAT - forensic assistance

Post by WallShadow on Thu Apr 04, 2013 6:44 pm
([msg=74920]see Re: RAT - forensic assistance[/msg])

I haven't done much of this before, but i have the book Windows Forensics Analysis and I've read through it a couple of times. I recommend you dl a pdf of it and list through the index for a few pages that might be of interest for you.

What I found:

First off, you should have gotten an image of all processes memory before shutting off the computer, if you haven't done so, smack yourself hard in the back of the head, because you've just destroyed some very useful data. WFA lists a number of methods for what to do with it. Main idea is to get a picture of what was going on inside the RAT process and other processes during the attack.

You should also still have the RAT executable, see if reverse engineer it even a bit, you can maybe get an address, keys, or anything else of value.

Next thing you can try is all the various log files, namely;

The win Event Logs may be a primary source of information for you. The Event Viewer will show you a large list of what went on inside the system.

Though this is listed under the Windows 2000 through XP, it might still apply. The key HKLM\SYSTEM\CurrentControlSet\Services\EventLog\<Event Log> has options for event log files such as file size, how long the record is maintained, etc. might wanna see if any of those were edited (WFA 255).

The Windows firewall (WFA lists this section only as 'XP Firewall Logs', though i bet that there is a firewall service running on win 7 and you might have had it running if you didn't disable). General idea is that it should have recorded some trace of the outgoing or incoming communication of the RAT.

Another interesting thing is crash dumps in which the entire contents of the process' RAM is stored in a file on disk (WFA pg 114, 290). If the attacker crashed anything in the process in infection, you might find something funny in the files. Also if he screwed around with any of the commands, you might find crash files.

the windows registry has the time of LastWrite for each registry key. By sorting all registry keys by LastWrite time, you can get an idea of what keys the RAT or the attacker might have edited, clumsily generated, or even erased (WFA pg 168). How you access those, i'm not entirely positive, google for a tool for it. I think WFA actually comes with a perl script on a cd to do this for you.

See what works best.

<3 WallShadow
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: RAT - forensic assistance

Post by limdis on Thu Apr 04, 2013 6:52 pm
([msg=74921]see Re: RAT - forensic assistance[/msg])

Great feedback already thank you! Making an image slipped my mind. So I'll be doing that.
Wall, I do not currently have physical access to the box. I was contacted after the event occurred. This was due to a scam operation and I have already tracked down the individuals responsible and will be SEing them shortly. It won't be hard to have them once again connect to the box (just trust me on this one).
I'll PM you about that pdf.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1319
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests