Extracting and Parsing the MFT of a logical disk from a Live Windows Machine

17 May

Over the weekend I had a family Windows XP box come to me with fake AV malware. The user indicated they didn’t know how or when it happened. Out of curiosity I began to investigate the cause and decided to see if could replicate Tim Mugherini’s work as presented on Pauldotcom on this system to determine when the infection took place, and any possible related files.

My first step was to grab the latest release of The Sleuth Kit (TSK). Once the files were obtained and extracted the next trick was how to extract the MFT. Most of the reference materials I was able to locate on using TSK involved passing an image file to the utility in use. I had no desire to image the whole 160GB drive just for the MFT. Looking at further reference sites, I did see some passing the a hard drive directly, but they were Linux systems. I also didn’t have the option of booting from a Live Linux distro at the time. I finally found a post by Rob Lee on the SANS Computer Forensics blog that referenced a logical drive in Windows in a way The Sleuth Kit utilities would recognize it. The commands below have been translated from here for Windows:


fsstat \.C:

ifind -d number_address(from above) \.C:

istat \.C: | more

 

 

icat \.C: 0-128-1 > MFTextracted

This left me with a raw MFT file which isn’t very useful unless you parse it. I first tried to use Mark Menz MFT Ripper, but the free version is limited to 50,000 lines. Next I turned to the David Kovar’s analyzeMFT.py. I didn’t have a Python environment on the system I wanted to analyze from so I need to quick setup Python. I decided to use ActivePython, and grabbed the 3.2 version of Python. I made sure Python was in my Path and tried to run the script:

python .analyzeMFT -f MFTextrated -o T:TempMFTextracted.csv

Everything seemed fine, but I kept receiving syntax errors. I couldn’t find anything obvious on this error, but I did see at least one post reference using Python 2.7. To troubleshoot, I grab ActivePython 2.7, installed, and then changed my Path to point to 2.7 instead of 3.2. After reloading my command prompt, I kicked off the same command to successfully begin the parsing.

Using VMware Converter to Convert Virtual PC VM’s

8 May

The easiest method to convert a Virtual PC virtual machine is to use the VMware vCenter Converter provided by VMware. It can be found here. Free registration is required. Once you have downloaded, and installed the converter the following instructions should get you through the rest of the conversion process.

After installation is complete, launch the converter. Once the converter is open select “Convert Machine” as shown below.

2009-05-08_085302getting-started

A new window will open, and you start by specifying the source details. In order to convert a Virtual PC VM, select “Backup image or third-party virtual machine”. Then click “Browse…” and locate the VM you need to convert.

2009-05-08_085811select-source-type

Hit “Next” and you make decisions on how the converted VM will be configured. Start by selecting “Select destination type:”. Home users will choose “VMware Workstation or other VMware virtual machine” as the resulting Virtual Machine (VM) will work with either VMware Player or Server. The other option is “VMware Infrastructure virtual machine” which is used with ESX or vCenter Server products, which will mainly be found in corporate setups.

2009-05-08_090522select-vmware-product

You now can name the virtual machine as you desire so it is easily identified when you want to use it. When specifying the location, make sure the directory exists because the converter will not handle this for you. If you hit “Next,” the Converter will nag you that it doesn’t exist and won’t let you proceed.

2009-05-08_090734vm-location-details1

Hit “Next” and review the settings for he virtual machine. Here you can adjust hard drive, RAM, and Network settings for the final VM.
2009-05-08_095242edit-options

I am converting a Windows 2000 machine which initially had been assigned a small amount of RAM. I boosted mine to 512MB to improve performance of the VM. Make a decision based on the host computers actual RAM, and the guest OS requirements you will be running which is best for your setup. The yellow exclamation points are items which should be reviewed. In my case, the “Processors” is set to one. Although your computer might have a dual core, don’t increase the number of processors, especially in older OS’s as this will require manual update of components after the conversion. The other item requiring my attention referred to needing sysprep files. (After some investigation, I determined I would try the conversion without them, and everything went fine.) You can ignore this, and hit “Next” to move the process along. On the next screen take a second to review that all the settings are as you want, and hit “Finish” when you are ready to proceed.

The conversion process can vary depending on the systems being converted. With the VM’s for Windows 98, and Windows 2000 it took about a minute, but for a Windows Vista VM it took about 10 minutes. Times will obviously depend on your computers specs as well. I ran this on a AMD Athlon 64 X2 5600+ with 2GB of RAM.

If everything went as planned, you should have a new VM which work in your preferred VMware product. Hope that helps.

Windows System Control Center

24 Apr

Windows System Control Center (WSCC) is an organizational front end for the excellent utilities from Nirsoft and Sysinternals. Applications offered from theses two sites range from monitoring process activity, and secure disk clean up to viewing the cache of a web browser, and password recovery. Although the WSCC was a nice front end previously for users unfamiliar with all the utilities, and there function, it wasn’t necessarily needed for an advanced user who knew what each of the utilities did. Yesterday, WSCC released version 1.6 of the front end, and added an update process which with one click updates all of the utilities from both sites. Since WSCC is a portable app, this makes keeping your thumb drive updated with the latest utilities a simple process. Manually update on a regular basis can be a time consuming process, and something that just doesn’t get done. The update feature alone makes WSCC an app which even advanced users might check out at this point as it now provides time savings. And isn’t that what technology is supposed to provide after all. I had been using Ketarin previously to maintain updated copies, but it required extraction, and transferring files after downloading. WSCC’s new update process definitely streamlines the process.

Go check it out here. It is free for personal, and commercial use.