Autopsy Python File Marker Module

Repetitively, I need the file system, registry, event logs and prefetch artifacts from end points.  So I created a script to mark files as interesting just to save time digging through the folder hierarchy.  The File Marker module can be downloaded from GitHub at:
File Marker Module
Listed the marked files with some of my favorite tools for parsing the artifacts too.    
Memory: pagefile.sys, hiberfil.sys and MEMORY.DMP
·             bulk_extractor –
·             Volatility –
File System: $MFT, $LogFile and $UsnJrnl:$J
·             Triforce ANJP Free Edition –
Registry: SYSTEM, SECURITY, SOFTWARE, SAM, NTUSER.DAT, UsrClass.dat and Amcache.hve
·             Registry Explorer –
·             RegRipper –
Event Logs: *.evtx
·             python-evtx –
Prefetch: *.pf
Please comment and share additional disk artifacts or tools that you use for triage!
File Marker Output

Autopsy Python Low Hanging Fruit Module

I wanted to try out the second Python module tutorial from Basis Technology [1].  After completing hash analysis to identify known files from the NSRL, the remaining hashes can be checked for low hanging fruit a.k.a. potential bugs.  The module will export a unique list of hashes not marked as known into the case folder as a file called AllLowHangingFruit.txt that can be run against Virus Total or Team Cymru [2][3].
Low Hanging Fruit

Running the same hashes over and over is not always a good use of resources thus added a GUI that would allow the end-user to select a SQLite database storing a list of previously seen hashes [4].  An empty SQLite database is posted on GitHub with the module code or you can always create your own too.
SQLite Command
If the location of the SQLite file is selected than the module checks to see if the hash is marked as known or in the database prior to exporting the value.  It is left to your discretion whether to manually add the hashes to the database for exclusion in the future from the NewLowHangingFruit.txt file.     

Analyzing IEaaS in Windows 8

Internet Explorer As A Service

I ran across an interesting artifact while exploring a memory image from a case with Volatility and Evolve. It looked bad at first glance, but turned out to be normal behavior as designed by Microsoft. I want to share a bit of the story with you, and then give you the facts of the behavior.

I had posted a tweet about a somewhat related topic, and @davehull pointed out that Internet Explorer in Windows 8 runs differently when started as a Metro app. The IE process sits as a child of svchost.exe in the process tree. I did some testing and confirmed the behavior. I tested in Windows 10 and found a little change. Then, @hexacorn (Adam) threw a twist in with a line of vbscript. Keep reading, and I will explain all of this.

Metro App Verses Regular App

Let me first clear the air and make sure that everyone reading is following what I am talking about with the Windows 8 Metro app. The start menu in Windows 8 is a full screen experience. There are tiles on this menu that will launch an application. One of the tiles you will see below is for Internet Explorer.

When you click on this tile, it launch Internet Explorer in the Metro version, and it looks a little something like this.

Alternatively, when you are in the desktop experience by clicking on the desktop tile, you will find a link to Internet Explorer pinned to the start bar.

Process Tree Examples

For years, processes have traditionally started in Windows in the same way. If the user initiates the process, it is typically put as a child of the process that was used to kick it off. When started from the start menu, link file, or run box, it will typically sit as a child of explorer.exe. If the process is designed to be run non-interactively in the background, it will typically sit as a child under services.exe.

Let me give a basic example to illustrate. I am using a Windows 8 machine for this, but you can follow along and see this functionality with any version of Windows.
1.    Open the calculator.
2.    Open the command prompt. Type calc.exe and hit [enter]

You will end up with a process tree looking something like this in Process Explorer. One calc.exe is a child of explorer.exe, along side with the cmd.exe that we opened. The other calc.exe is a child of cmd.exe.

Hosting the Party

The processes that run in the background sit under services.exe which is a child of wininit.exe. A very common process to find in this area is svchost.exe. In the image below, I have 13 instances of svchost.exe running. Each of them serves a different purpose, but I won’t go into that here. The point of showing you this is to show you where and how svchost.exe is used.

I also want to show you the permissions assigned to the svchost.exe process. You can right click on any one of those instances and click on properties. You will need to make sure that Process Explorer is running in admin mode first, however. Notice that the User running the process is NT AUTHORITY\SYSTEM. The quick assumption every examiner makes is that any child process of svchost.exe will also inherit the permissions of SYSTEM. This is not always the case, but it is very common. It is safe to assume this at first, and prove it wrong with a little bit of work.

(Mis)Behavior at Hand

After establishing the baseline above, tell me if this looks normal or a bit off to you.

I hope that you had all sorts of bells and whistles going off in your head. Unless you have seen this artifact before and have chased it down, this looks downright scary.

You might have also noticed that opening one window of the Metro Internet Explorer actually created a parent and child iexplore.exe, and good for you! I will just say simply that each tab gets a process, for now, since I am planning on another blog post to explain that part.

Now I will look at this in Evolve, since this is how it all started for me. Follow along with me by downloading the memory image. Looking at the output for the Volatility pslist module shows me several instances of iexplore.exe, and it sticks out to me that there are a number of different PPID values. Typing IE into the search box narrows down the results to just those of iexplore.exe processes.

To get a better picture, I use the Show SQL button to input a custom SQL query. I want to show the name of the parent process so I don’t have to keep searching on the PID values.

SELECT p1.*,
(select name from pslist p2 where as Parent
FROM pslist p1

Once the SQL is applied I hide several of the columns, and drag the parent column over beside the PPID column.

If you use Volatility from your shell, you can run the pstree module and see it pretty well in the output like this.

If I didn’t know any better (which is the point of writing this blog post) I would assume that the iexplore.exe processes under svchost.exe are running with SYSTEM privileges. So I make that assumption and investigate a little further to prove it wrong.

I run the Volatility getsids module and view the output in Evolve. In the search box, I type ‘ie sys’ and I get no results.

This causes me to think I did something wrong, so I back out and just type ‘sys’ and find there is a lot of noise. I continue in the search box with ‘sys loc’ which seems to do the trick. I also hide a couple columns to improve the view. Scrolling through this list shows all the processes I expect to have SYSTEM privileges, but I don’t see any iexplore.exe entries in the list.

I want to confirm all of this, so I clear the search box and type ‘iex’. I get all of the sids associated with all of the iexplore.exe processes, and none of them hold SYSTEM elevated privileges. These processes have the Administrators group since I am logged into that VM with an admin account.


The Change-up in Windows 10

Microsoft decided to change the name of Internet Explorer for the release of Windows 10. They also changed the way the processes are created a little bit. The parent MicrosoftEdge.exe process becomes a child of svchost.exe, but the tabs don’t fall under it. The tabs end up being children of a different process called RuntimeBroker.exe which is itself a child of svchost.

So, you can the changes in Windows 10 aren’t drastic, but they are enough to note for future investigations.

Adam’s Screwball

You probably know Adam best from his massive series of Hexacorn blog posts about various autorun locations that can be used for persistence by malicious software. If not, you should go read them when you finish here.

Adam joined the conversation on twitter and pointed out that you could emulate the behavior of the Metro IE with a single line of vbscript to start it off. Controlling it would require a few more lines, but thats not the point here. Let me show you the line of code.

Set ie=WScript.CreateObject(“InternetExplorer.Application”)

It’s pretty simple to kick this off. Just type or paste that line of code into a text file, and save it as a .vbs file. Open your command prompt, navigate to the folder where you saved it, and use cscript to execute it.

Here comes the test, are you ready? I rebooted my VM so you can cheat by using the previous PID numbers, though I applaud your attempt. Which process was started by the vbscript? First the parent processes, and then the children.


Since I don’t want to intrusively blast jeopardy music through your browser, I will attempt an equivalent measure of stalling for time so you don’t accidentally cheat.

An excerpt for your reading pleasure:

Last week, we met to address your continuing job-performance problems related to the serving of items from the dessert cart you operate in the newspaper’s senior staff dining room. These problems have persisted despite repeated counseling sessions with  supervisors as well as staff training programs. Specifically, your refusal to serve dessert to certain members of the senior staff has resulted in several written complaints from administrators at this company.

Mrs. Lopez, your refusal to serve dessert to certain members of the paper’s staff is disruptive to food service operations, and the explanations that you have provided for your behavior are not acceptable. This letter is being issued as a written warning with the expectation that there will be an immediate and sustained improvement in your job performance. Failure to comply will result in further disciplinary action.

On a more personal note, Mrs. Lopez, please stop refusing to give senior staff members dessert, even if you feel, as you explained to me last week, that they don’t “deserve it.” Which members of the paper’s staff do or do not deserve dessert is not your decision to make! And I would hate to see you asked to leave the food craft services department over something so silly! I would really miss you — and your chocolate chip cookies!

The only difference that any of us, from the twitter dialog, could come up with was that the tab opened by vbscript ended up being a 32-bit process. Adam and I both tried a number of ways to get it running fully as a 64-bit process, but we both failed. If you come up with a technique to make that happen, please let me know!

Good, Bad, and Badly Designed

With that, I have shown you what appeared to be bad, but ended up being good – as badly designed. I have also shown you some bad which does a pretty darn good job at looking like the good.

Hope you found this interesting and useful. Happy Hunting!

Get the memory image I was looking through.

James Habben

Autopsy Python Gold Build Module

Basis Technology released a nice tutorial on writing Python modules for Autopsy [1]. Figured, I would start with hash analysis using the built in Hash Lookup module for the National Software Reference Library (NSRL) and than create a custom gold build hash set. 

Hash Lookup
Hash Lookup

The current Minimal Set of the NSRL 249 containing over 42 million known hashes was not posted for download as an Autopsy Hash Index yet.  Building your own will involve downloading the reduced minimal hash set [2].  A quick little Python script removes the header and writes only the MD5 hash to a new file.  Currently Autopsy has an issue generating the index for large hash sets requiring the NSRL to be split into two chunks.  The Unix command ‘wc NSRL.txt’ can be used to determine the number of lines in the file so it can be split evenly with the ‘split -l 21030270 NSRL.txt’ command. 
NSRL Python Code
NSRL Python Code provides hash lists that can be publically downloaded and used to identify over 20 million potentially bad files.  The Unix command ‘cat VirusShare_00* | grep -v ‘#’ > VxShare.txt’ will create a single hash file that can be imported into Autopsy. is another place to get additional known hashes that are not in the NSRL too.  It is definitely preferred to generate a Gold Build hash set that is specific to your environment.  The Autopsy Python Gold Build Module requires that the hash values have already been calculated prior to execution.  Running the Gold Build Module will create a text file containing only unique hash values stored in the case folder called GoldBuild.txt [3].

Gold Build
Gold Build 

Now that the NSRL, and the Gold Build output are all in the same format, they can be imported and used to generate hash indexes for comparisons in Autopsy [4].  Only indexes are required for hash analysis to complete.  Additional hashes can not be added to an existing index only the hash library through the GUI interface.