3 Free NirSoft Tools for Malware Analysis

Nir Sofer makes a number of Windows utilities, which he distributes for free on the NirSoft website. This post takes a quick look at 3 of his tools—ProcessActivityView , RegFromApp and ProcessThreadsView—which can be handy when analyzing malware from a behavioral perspective. These programs can be a useful supplement to Microsoft’s Process Monitor and Process Explorer tools.

ProcessActivityView delineates which files and folders the designated process attempts to access. It allows you to begin tracing an existing process by letting use select from an active process listing:

The tool also allow you to start a new process and begin tracing it immediately:

ProcessActivityView displays a real-time log of the file system activity associated with the monitored process. In addition to displaying the file path, the tool displays tracks how many times the file was opened, how many bytes were read and written, etc. It also displays the DLL that made the last open-file call:

RegFromApp monitors registry activities of the designated process, displaying a log file of registry changes. This can be a quick way to observe how a malicious program attempts to change the registry:

Like with ProcessActivityView, you can point RegFromApp to an existing process or tell it to launch the specified executable and begin tracing it immediately.

ProcessThreadsView is designed similarly to ProcessActivityView and RegFromApp, letting you monitor existing processes or trace new ones. When active, this tool displays information about the threads of the designated process, including strings found on the stack of each thread and much more:

Good Supplement to Other Tools
ProcessActivityView, RegFromApp and ProcessThreadsView are quick and easy to use to give you some visibility into registry and file system capabilities of malicious programs. However, they generally aren’t as comprehensive as Process Monitor, to some extent, Process Explorer. I consider them “second opinion” tools, and like having them as part of my malware analysis toolkit.
Hand-picked related items:
Just so you know, I teach the malware analysis course at SANS Institute.

轉自 http://blog.zeltser.com/post/9610150595/processactivitymonitor-and-regfromapp

HowTo: File Extension Analysis

Many times when I am browsing through online lists and forums, I see questions geared along this avenue; an analyst finds a file with a specific extension, and wants to know which application uses it or may have been used to modify that file.  Most times, this is just a small part of a much larger question, and initial attempts to answer the question via Google searches may have led to additional confusion (specified application does not appear to be installed on the system, etc.).  However, there are things that an analyst can do to answer that question using the data currently available, within the collected image.

File Extension Analysis

So you have a file that you're interested in, along with a path, name, and extension, and you want to know which application may have been used to create or modify that document.  One way we can go about this is to use Registry analysis.  Within the acquired image, locate the Software hive (usually in the path "\Windows\system32\config"), and within that hive, look to the Classes key.  Many of the first subkeys that you'll see beneath this key are file extensions, such as ".3g2".  The "(Default)" value of this key is "QuickTime.3g2", which indicates that this system will attempt to open a file with this extension using the QuickTime application.  Additionally, the "OpenWithList" subkey includes a subkey named "QuickTimePlayer.exe". Locating the key "Classes\QuickTime.3g2", I saw that that key had a "shell\open\command" subkey with a "(Default)" value that pointed to QuickTimePlayer.exe (along with the complete path to that file).

As another example, beneath the "Classes\.aa" key, the "OpenWithList" subkey contains a subkey named "iTunes.exe", which indicates that the iTunes application will be used to open a file that ends in the ".aa" extension.  Some extensions may have multiple subkeys beneath the "OpenWithList" key, which serves as an indicator to the type of file with which the extension is associated.

Other keys beneath the "Classes" key may have different information that may indicate how the file had been accessed or used on the system.  On a system I was looking at, I found the ".rnk" extension, and the key only had a "(Default)" value with "rnkfile".  I then located the "Classes\rnkfile" key, which had a "shell" subkey, with additional subkeys that referred to different commands.  When I went to the command line on that system and typed "assoc rnkfile", the response was "rnkfile=Dial-Up Shortcut". 

As this technique is based on Registry analysis, analysts need to keep in mind that it may often be unique to the system being analyzed, and findings on one system may not necessarily map directly to or represent those on another system.  Also, these artifacts are based on file associations, which many times will be set when an application is installed, during the installation process.  As such, when the application is uninstalled, those associations may be removed.

As this technique involves Registry analysis, there are other areas you can check, as well.  For example, each user hive (XP) has a "Software\Classes" key within the NTUSER.DAT hive that may contain file associations specific to the user.  On Vista and above systems, this information will be located in the root of the USRCLASS.DAT hive.  You can also look to the RecentDocs key within the NTUSER.DAT hive to see which files the user has accessed, by extension.  Also, if you suspect that someone may have purposely deleted any of the keys or values of interest, be sure to use
regslack to check the unallocated space within the hive files for those artifacts.

If you have a file name (as opposed to just an extension) you might open up the user's hives in something like MiTeC's
Windows Registry Recovery tool or the Registry Decoder from DFS, and search for the file name...you may find a reference in the application MRU listing.

轉自 http://windowsir.blogspot.com/2011/09/howto-file-extension-analysis.html

HowTo: Mount and Access VSCs

I've posted before regarding how to mount and access Volume Shadow Copies (VSCs), but I thought it might be useful to revisit this topic, as there's a great deal that you can do once you've mounted a VSC.

If you received/have an image acquired from a Vista or Win7 system, you'll likely want to mount the image and access data within the available VSCs at some point.  Commercial tools such as
ProDiscover provide access to the VSCs within an image (PDF here), but how can you access this source of data in a more economical fashion?

Well, there are a couple of ways to go about this, both of which require that you're using a version of Windows that supports VSCs, such as Windows 2008 or Windows 7.

VMDK Method

Starting with your image, download a copy of either raw2vmdk or LiveView and create a VMWare virtual disk (.vmdk) file for the image (I say "for" because the .vmdk file will most likely contain a reference to the image file).  Once you've done this, you can add this .vmdk file as an additional hard drive to a VMWare virtual machine (VM), and then boot that VM.  You can add a .vmdk file as an additional hard drive via VMPlayer, but if you have VMWare Workstation, you can add the .vmdk file as an independent, non-persistent disk, which means that no changes are made to the .vmdk file.

: You should always work on a copy of an image, not the original image file itself.

As a test, I opened VMPlayer running on a Windows 7 64-bit host system and selected a 32-bit Windows 2008 guest VM.  I added a .vmdk file from a 32-bit Windows 7 guest VM to the Win2008 VM as an additional hard drive, and booted the Win2008 VM.  Once I logged in, I was able to list the available VSCs from the Windows 7 .vmdk file (mounted as the E:\ volume) using the command
vssadmin list shadows /for=e:.  From that point, it was simply a matter of using the mklink command to mount a VSC.

VHD Method

To use this method, download a copy of vhdtool, and use it to convert the image to a VHD file (i.e., vhdtool /convert).  The tool adds a VHD footer to the image file, so the extension of the image file won't change automatically, although that's not needed in order to mount the VHD file (you can change the extension manually, if you like).  You can then use the Disk Management tool to add the VHD file to a Windows 2008 or Windows 7 system as a read-only disk.

What now?

Once you've mounted the image file, you can list the available VSCs using the vssadmin command, and even create a batch file that will mount each VSC using the mklink command, run various tools on the mounted VSC (i.e., rip.pl/.exe, LogParser, etc.), and then unmount each VSC using the rmdir or rd command.

I've used this method to cycle through the VSCs within an image from a Vista system to extract information from a user's UserAssist key using the
userassist_tln.pl RegRipper plugin (via rip.pl), in order to determine not only the last time that the user launched an application, but previous times, as well.


This section provides links to blog posts from other analysts to demonstrate what they've done while having access to VSCs...

- Stacey Edwards' SANS Forensic Blog
post on using LogParser against VSCs

轉自 http://windowsir.blogspot.com/2011/09/howto-mount-and-access-vscs.html

Recovering and Analyzing Deleted Registry Files

Link2 v2.5


You can receive your free version from our Link2 Download Page.

Please Note: You must go to the free download page above. Orders sent through the shopping cart will not be fulfilled.

Link Analysis can be a valuable tool for any forensic investigator to be able to sift through the data to find the "smoking gun." Paraben's new Link2 is a FREE link analysis tool that works directly with Paraben's Device Seizure to make a visual representation of cell phone data and show correlations, even across multiple devices. The features are right, the price is right, you can't go wrong.

Paraben's Link2

  • Import multiple Device Seizure case files (.PDS)
  • Link calls, SMS, time stamps, files, etc. between devices
  • Report/Export Options
    • PNG
    • SVG
    • PDF
    • VDX
    • DXF
    • HTML
  • Filter options from one case to another
  • Coming soon: Support for E-mail Examiner & Network E-mail Examiner files

Please note: Link2 is available for download only.

System Requirements
Processor: 1.4Ghz+
Hard Drive Space: 200 MB
Windows 2000, XP, 2003, Vista, Windows 7

轉自 http://www.paraben.com/link2.html

JPEGsnoop - JPEG File Decoding Utility


Every digital photo contains a wealth of hidden information -- JPEGsnoop was written to expose these details to those who are curious.

Not only can one determine the various settings that were used in the digital camera in taking the photo (EXIF metadata, IPTC), but one can also extract information that indicates the quality and nature of the JPEG image compression used by the camera in saving the file. Each digical cameras specifies a compression quality levels, many of them wildly different, leading to the fact that some cameras produce far better JPEG images than others.

What can I do?

Check out a few of the many possible uses for JPEGsnoop!
One of the latest features in JPEGsnoop is an internal database that compares an image against a large number of compression signatures. JPEGsnoop reports what digital camera or software was likely used to generate the image. This is extremely useful in determining whether or not a photo has been edited / tampered in any way. If the compression signature matches Photoshop, then you can be pretty sure that the photo is no longer an original! This type of analysis is sometimes referred to as Digital Image Ballistics / Forensics. 

JPEGsnoop reports a huge amount of information, including: quantization table matrix (chrominance and luminance), chroma subsampling, estimates JPEG Quality setting, JPEG resolution settings, Huffman tables, EXIF metadata, Makernotes, RGB histograms, etc. Most of the JPEG JFIF markers are reported. In addition, you can enable a full huffman VLC decode, which will help those who are learning about JPEG compression and those who are writing a JPEG decoder.
Other potential uses: determine quality setting used in Photoshop Save As or Save for Web settings, increasing your scanner quality, locating recoverable images / videos, decoding AVI files, examining .THM files, JPEG EXIF thumbnails, extract embedded images in Adobe PDF documents, etc.

Trying to Undelete or Unformat your Photos?

If you're interested in trying to recover your deleted / corrupted photos, check out my new page on recovering deleted photos.

File Types Supported

JPEGsnoop will open and attempt to decode any file that contains an embedded JPEG image, such as:
  • .JPG - JPEG Still Photo
  • .THM - Thumbnail for RAW Photo / Movie Files
  • .AVI* - AVI Movies
  • .DNG - Digital Negative RAW Photo
  • .CRW, .CR2, .NEF, .ORF, .PEF - RAW Photo
  • .MOV* - QuickTime Movies, QTVR (Virtual Reality / 360 Panoramic)
  • .PDF - Adobe PDF Documents

轉自 http://www.impulseadventure.com/photo/jpeg-snoop.html


Registry Decoder Digital Forensics Software

Digital forensics deals with the analysis of artifacts on all types of digital devices. One of the most prevalent analysis techniques performed is that of the registry hives contained in Microsoft Windows operating systems. Registry Decoder was developed with the purpose of providing a single tool for the acquisition, analysis, and reporting of registry contents. To learn the history of this project, please see the history page.

Registry Decoder is a free and open source tool. The online acquisition component can be accessed at: http://code.google.com/p/regdecoderlive/ and the offline analysis component accessed at: http://code.google.com/p/registrydecoder/.

All functionality contained within the two components is exposed to a graphical user interface, and the tool aims to provide even novice investigators with powerful analysis capabilities. Another goal of Registry Decoder is to become the project in which all future registry-related research is performed in and developed for. If you are a researcher and interested in open problems within forensics registry research or are interested in contributing the project, please see our research page here.

轉自 http://www.digitalforensicssolutions.com/registrydecoder/

Jump List AppIDs

Artifact Name
Jump List AppIDs (Windows 7) – browsers, utilities, image viewers, and
media players

Windows 7, Jump Lists

The Jump List is essentially a new feature of the Windows 7 taskbar that allows quick access to recently viewed/opened/played or most frequently viewed/opened/played files. It also allows quick access to common tasks within each application. Each application has a little square of its own in the taskbar.
When the application performs certain actions (opening a file, right-clicking the application taskbar square, etc.), two types of files are created:
- *.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)
- *.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations).
***Note: these directories are hidden***
You have to type in the full path in the address bar to see their contents). The ‘*’ in the above examples is where the Application (AppID) is represented. For the most part, the Windows operating system calculates the AppID of an application. Knowing an application’s AppID can help identify any given application when user activity is of great importance in an investigation.

Internet Browsers
5d696d521de238c3 Chrome 9.0.597.84 / 12.0.742.100 / 13.0.785.215
cfb56c56fa0f0a54 Mozilla 0.9.9
5c450709f7ae4396 Firefox 1.0 / 2.0 / 3.0
5df4765359170e26 Firefox 4.0.1
1eb796d87c32eff9 Firefox 5.0
1461132e553e2e6c Firefox 6.0
28c8b86deab549a1 Internet Explorer 8 / 9
16ec093b8f51508f Opera 8.54 build 7730 / 9.64 build 10487 / 11.50 build 1074
8a1c1c7c389a5320 Safari 3.2.3 (525.29)
1da3c90a72bf5527 Safari 4.0.5 (531.22.7) / 5.1 (7534.50)
3dc02b55e44d6697 7-Zip 3.13 / 4.20
4975d6798a8bdf66 7-Zip 4.65 / 9.20
4b6925efc53a3c08 BCWipe 5.02.2 Task Manager 3.02.3
337ed59af273c758 Sticky Notes
290532160612e071 WinRAR 2.90 / 3.60 / 4.01
c9950c443027c765 WinZip 9.0 SR-1 (6224) / 10.0 (6667)
b74736c2bd8cc8a5 WinZip 15.5 (9468)
bc0c37e84e063727 Windows Command Processor – cmd.exe (32-bit)
Image/Document Viewers
f0468ce1ae57883d Adobe Reader 7.1.0
c2d349a0e756411b Adobe Reader 8.1.2
23646679aaccfae0 Adobe Acrobat 9.4.0
ee462c3b81abb6f6 Adobe Reader X 10.1.0
386a2f6aa7967f36 EyeBrowse 2.7
e31a6a8a7506f733 Image AXS Pro 4.1
b39c5f226977725d ACDSee Pro 8.1.99
59f56184c796cfd4 ACDSee Photo Manager 10 (Build 219)
8bd5c6433ca967e9 ACDSee Photo Manager 2009 (v11.0 Build 113)
d838aac097abece7 ACDSee Photo Manager 12 (Build 344)
b3f13480c2785ae Paint 6.1 (build 7601: SP1)
7cb0735d45243070 CDisplay
3594aab44bca414b Windows Photo Viewer
3edf100b207e2199 digiKam 1.7.0 (KDE 4.4.4)
169b3be0bc43d592 FastPictureViewer Professional 1.6 (Build 211)
e9a39dfba105ea23 FastStone Image Viewer 4.6
edc786643819316c HoneyView3 #5834
76689ff502a1fd9e Imagine Image and Animation Viewer 1.0.7
2519133d6d830f7e IMatch
1110d9896dceddb3 imgSeek 0.8.5
c634153e7f5fce9c IrfanView 3.10 / 4.30
ea83017cdd24374d IrfanView Thumbnails
3917dd550d7df9a8 Konvertor 4.06 (Build 10)
2fa14c7753239e4c Paint.NET 2.72 /
d33ecf70f0b74a77 Picasa 2.2.0 (Build 28.08, 0)
b17d3d0c9ca7e29 Picasa 3.8.0 (Build 117.43, 0)
Embedded in IE Prizm Viewer
depends on Location Scientific and Technical Document Viewer 1.6.2 Portable (STDU)
c5c24a503b1727df XnView 1.98.2 Small / 1.98.2 Standard
497b42680f564128 Zoner PhotoStudio 13 (Build 7)
Media Players
d22ad6d9d20e6857 ALLPlayer 4.7
7494a606a9eef18e Crystal Player 1.98
1cffbe973a437c74 DSPlayer 0.889 Lite
817bb211c92fd254 GOM Player /
6bc3383cb68a3e37 iTunes /
83b03b46dcd30a0e iTunes / / (begin custom ‘Tasks’ JL capability)
fe5e840511621941 JetAudio Basic / Basic / 7.0.0 Basic / Basic
a777ad264b54abab JetVideo Basic
3c93a049a30e25e6 J. River Media Center 16.0.149
4a49906d074a3ad3 Media Go 1.8 (Build 121)
1cf97c38a5881255 MediaPortal 1.1.3
Depends on location Media Player Classic (is portable)
Depends on location Media Player Classic – Home Cinema (default install is \Users\user\ dir, so dynamic)
62bff50b969c2575 Quintessential Media Player 5.0 (Build 121) – also usage stats (times used, tracks played, total time used)
b50ee40805bd280f QuickTime Alternative 1.9.5 (Media Player Classic
ae3f2acd395b622e QuickTime Player 6.5.1 / 7.0.3 / 7.5.5 (Build 249.13)
7593af37134fd767 RealPlayer / 7 / 8 / 10.5
37392221756de927 RealPlayer SP 12
f92e607f9de02413 RealPlayer
6e9d40a4c63bb562 Real Player Alternative 1.25 (Media Player Classic /
c91d08dcfc39a506 SM Player 0.6.9 r3447
e40cb5a291ad1a5b Songbird 1.9.3 (Build 1959)
4d8bdacf5265a04f The KMPlayer
4acae695c73a28c7 VLC 0.3.0 / 0.4.6
9fda41b86ddcf1db VLC 0.5.3 / 0.8.6i / 0.9.7 / 1.1.11
e6ee34ac9913c0a9 VLC 0.6.2
cbeb786f0132005d VLC 0.7.2
f674c3a77cfe39d0 Winamp 2.95 / 5.1 / 5.621
90e5e8b21d7e7924 Winamp 3.0d (Build 488)
74d7f43c1561fc1e Windows Media Player 12.0.7601.17514

File Locations
- *.automaticDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\automaticDestinations)
- *.customDestinations-ms files (in %appdata%\Microsoft\Windows\Recent\customDestinations)

Research Links
Original Source Blog Post –
1. Forensic Examination of Windows 7 Jump Lists Powerpoint (by Troy Larson) –
2. Windows 7 Taskbar Part 1 (by Yochay Kiriaty) –
3. The Forensic Value of Windows 7 Jump Lists (by Alex Barnett) –
4. Application User Model IDs (AppUserModelIDs) (by MSDN) –
5. Developing for the Windows 7 Taskbar – Application ID (by Yochay Kiriaty) –
6. Developing for the Windows 7 Taskbar – Jump into Jump Lists – Part 2 (by Yochay Kiriaty) –
7. ForensicsWiki List of Jump List IDs – 

Other Info
Please check out the original blog post for which this information was gathered. It provides additional information and a nice layout for the AppIDs.

轉自 http://forensicartifacts.com/2011/09/jump-list-appids/

Windows 7 Registry Forensics

How is management going to handle this situation? A typical approach would be to confront the workers. However, they most likely would deny any wrongdoing and probably try to obfuscate any potential evidence. Probably the best approach would be to covertly triage the live computers and perform post-mortem examinations of their hard drives. Frequently a business or corporation’s IT department members will lack the necessary qualifications or experience to perform these types of forensic examinations. This is not uncommon since IT personnel normally are not trained as forensic examiners.

Usually management will have to contract with an external digital forensics consulting firm to provide the services. In today’s world, it has become essential that management have processes in place (i.e. a plan) such that when an intrusion occurs or employee misconduct is alleged, they will have a firm foundation to support and assist with any potential civil or criminal proceedings. Failure to do so can have a detrimental effect upon the business or corporation.

A Windows computer system has several forensically important areas where probative information can be found: in the computer’s RAM (if the system is live), in the Registry, or on the computer’s hard drive. The examination and extraction of probative information from a live computer system involves the use of triage tools which themselves will make changes to those same forensically important areas! Although this violates the “golden rule” of digital forensics, in some circumstances there is no alternative. Presuming that examiners have previously verified the functionality of their triage tools, they should have a fairly good understanding, and be able to document, what changes are made to a live computer system when they use those tools.

Unless they are involved in incident response, examiners are not often confronted with having to image a live system. Normally they would forensically image computer hard drives post-mortem, in a controlled work environment. The image would then be examined for probative information. Most forensic tools incorporate automated built-in features such as recovering deleted folders, performing keyword searches, carving data from unallocated space, searching directories and files, and so forth. Automated features are a necessity as it would be extremely labor intensive for an examiner to manually search a hard drive. In today’s digital forensics environment, examiners must have specialized training, knowledge, skills, abilities, tools, and experience to ensure reliable and repeatable results when triaging either a live system or examining a computer hard drive post-mortem.

What Is the Windows Registry and What Does It Do?
Early Windows operating systems included a “WIN.INI” file (which controlled the desktop and all applications on the computer system) and a “SYSTEM.INI” file (which controlled the computer’s hardware). They also used the configuration files “config.sys” (which loaded device drivers) and “autoexec.bat” (which ran startup programs and set environment variables). When Windows 3.1 was introduced, it was initially targeted to the corporate work environment. One of the assumptions made was that very few Windows applications would be installed on each computer. This would then limit the number of stored system and application settings. Since program developers still needed to store application specific settings, they used individual “.ini” human readable text files which were linked to the “WIN.INI” file. These were generally organized in groups located in a shared location. However, there were a number of drawbacks to this practice: it did not allow for user-specific settings in a multi-use environment; there were no rules placed upon their storage by the operating system; their proliferation and storage anywhere on the hard drive made it difficult or virtually impossible to manage and optimize their performance; and their size limitations and slow access often hindered system operation.

The release of Windows 95 introduced a new concept, the “Registry.” Its purpose was to store all application settings in a standardized binary format in a centralized location and replace text-based configuration and “.ini” files. Because it provided one unified solution for accessing both system and application settings, the Registry was initially praised by developers, users, and administrators. Its advantages included: the binary format allowing for more efficient file parsing; Registry settings loading from user-specific paths; permitting multiple users to share the same computer; accessing a computer remotely, allowing for ease of backups and restorations. However, the introduction of the Registry created another whole set of unintended consequences: it now became more difficult to back up and recover individual applications; automated installers and uninstallers became more complex because configuration settings had to be created by the applications; a damaged or corrupted Registry might fail to load the device drivers necessary to boot the system. With the continuing requirements and demands of complex applications and network solutions, each iteration of the Windows Registry has grown larger and more complex.

The Microsoft Computer Dictionary, Fifth Edition, defines the Registry as: “A central hierarchical database used in Microsoft Windows 9x, Windows CE, Windows NT, and Windows 2000 used to store information that is necessary to configure the system for one or more users applications and hardware devices.” Windows XP, Windows Vista, and Windows 7 also contain a Registry. Although referred to as a “central hierarchical database,” the Registry is in fact a collection of files that are located in the “C:\Windows\System32\config” and “C:\Users\(Username)\” directories (Windows 7). The Registry contains information that Windows continually references such as the applications installed on the computer, the user profiles, the hardware on or attached to the system, property sheet folder settings, the ports being used, application icons, and so on. From a forensic perspective, the Registry is a gold mine that can often provide probative information to an investigator. For instance, some of the information that can be found in the Registry includes:
  • All the wireless networks that the computer has connected to
  • Recent search terms
  • Lists of the most recently used files or applications
  • Autorun locations that list applications to automatically run when the computer is booted
  • Contents of the User(s) desktop
  • All USB storage devices that have been attached to the computer
  • Malware (if it has installed itself as a service)
  • The directory structure and file names contained on external devices that have been attached to the computer (pre-Windows 7)
While the Windows Registry is forensically important, frequently it is not captured during the triage of a live system. Similarly, it is often overlooked during post-mortem examinations. Daily, examiners are faced with many challenges: a lack of training to perform triage on a live system; examining multiple hard drives containing terabytes of data; dealing with pressures from management to complete an arbitrary, often unrealistic, quota of examinations per month; constantly juggling and prioritizing overwhelming case loads; shortages of personnel; and until recently, limited tools for examining Registry files. When faced with these challenges, it is easy to understand why the Registry is not often forensically examined.

轉自 http://www.dfinews.com/article/windows-7-registry-forensics-part-1?page=0,1

Malheur 0.5.2


CHANGES, doc/malheur.cfg, src/mconfig.c, src/mconfig.h: rewrote default configuration code