Saturday, June 16, 2007

Restore Point Analysis

Others have posted bits and pieces regarding System Restore Point analysis (Stephen Bunting's site has some great info), and I've even blogged on this topic before, but I wanted to add a bit more information and a tidbit or two I've run across. This will go a bit beyond what's in my book, but I do want to say that the content in my book is not invalidated in any way.

First off, you can use some of the tools on the DVD accompanying my book in either live response or during post-mortem analysis to collect information from the Restore Points. I've recently updated the code to the SysRestore.pl ProDiscover ProScript to make it more usable and flexible, given some situations I've seen recently.

Another interesting thing I've run across is that using an alternative method of analysis, such as mounting the acquired image as a read-only drive letter (using VDKWin or Mount Image Pro), can be more of a problem than a solution. Accessing the system this way can really be a boon to the examiner, as you can hit the system with an AV scanner (...or two...or three...) and save yourself a great deal of time trying to locate malware. However, the problem occurs due to the fact that the ACLs on the System Volume Information directory require System level access for that system, and even having System level access on your analysis system does not equate to System level access on the mounted image. So things tend not to work as well...files within the "protected" directories will not be scanned, and your alternative is to either perform your analysis within a forensic analysis application such as ProDiscover (using ProScripts), or export the entire directory structure out of the image, at which point, storage is then a consideration (I've seen systems with quite a number of Restore Points).

This is can be an issue because bad guys may try to hide stuff in these directories...read on...

Remember me mentioning the existence of web browsing history for the Default User? This indicates the use of the WinInet API (wget.exe, IE, etc.) by someone who accessed the system with System level privileges. This level of access would also allow that user to access the System Volume Information directory, where the Restore Points are maintained, and possibly put things there, such as executable image files, etc. It's unlikely that a restore point would be used for persistence (ie, point a Windows Service to an executable image within a restore point), as the restore points eventually get deleted or flushed out (see the fifo.log file). However, this would be an excellent place to put an installer or downloader file, and then the intruder could place the files that he wanted to be persistent in either the System Volume Information directory, or the "_restore*" directory.

So, besides looking for files that we know are in the Restore Points (ie, drivetable.txt, rp.log, Registry files), we should also consider looking for files that shouldn't be there, particularly if we find other artifacts that indicate a System-level intrusion.

Beyond this, Restore Points provide a wealth of historical information about the system. By parsing all of the rp.log files, we can develop a timeline of activity on the system that will give us an idea of what was done (system checkpoint, application install/uninstall, etc.) as well as provide us with that timeline...if the Restore Points are in sequence and the dates seem skewed, then we have an indication that someone may have fiddled with the system time. Using the drivetable.txt file, you can see what drives were attached to the system at the time that the Restore Point was created (by default, one is created every 24 hrs).

Beyond these files, we also have access to the Registry files that are backed up to the Restore Points. You can parse these to see if and when a user's privilege levels were modified (ie, added to the Administrator group), determine IP addresses and network settings for the system (parse the NetworkCards key from the Software file, then the Tcpip Services key from the System file), etc.

Analysis of the Registry files maintained in Restore Points is also useful in determining a timeline for certain Registry modifications that are difficult to pin down. For example, when a Registry value is added or modified, the key's LastWrite time is updated. What if one value is added, and one is modified...how do we determine which action caused the LastWrite time to be modified? Well, by using the historical data maintained in the Restore Points, we can look back and see that on this date, the modified value was there, but the added value wasn't...and then it appears in the next Restore Point. Not exact, but it does give us a timeline.

So...what interesting things have you found in Restore Points?

Links
Kelly's Korner (XP Restore Points)
MS Windows XP System Restore
System Restore WMI Classes

4 comments:

Anonymous said...

However, the problem occurs due to the fact that the ACLs on the System Volume Information directory require System level access for that system . . .

Good point, Harlan. I've mentioned this before on other lists, but, without the correct permissions, you won't even be able to virus scan a mounted volume correctly. I suspect that a number of examiners simply run a scanner against a mounted volume, without realizing that their scanners are not evaluating the main user's Docs & Settings tree. The reason is becuase the examiner does not have premission to access the folders. The workaround for this is to take ownership of the entire tree, and this will work in MIP. However, you can't make yourself System or grant access to yourself over objects on the mounted volume.

Speaking of Restore Points, I just learned that Vista will present a whole new ballgame. Gone are the periodic backups of entire registry hives. As I recall, they're replaced by copies of updated blocks, similar, I think, to the shadow copies we will see. Also, the folder structure is changed.

H. Carvey said...

Jimmy,

...Vista will present a whole new ballgame

Yes, this is something we're all looking forward to! ;-)

Gone are the periodic backups of entire registry hives.

I'm not sure I follow...XP doesn't back up entire Registry hives. If you access the Restore Points, you'll see that the file sizes for the Registry files are different (ie, smaller) than what you find in the config directory.

Anonymous said...

I'm not sure I follow...XP doesn't back up entire Registry hives.

Quite true. I believe that Vista, however, will back up blocks of changed data, so you will not find the typical registry hives, segregated historically.

Cory said...

Another interesting thing I've run across is that using an alternative method of analysis, such as mounting the acquired image... However, the problem occurs due to the fact that the ACLs on the System Volume Information directory require System level access for that system...

Solution: Mount the file system from an operating system which does not interpret NTFS application level access controls. :-)