Detecting File Opening and Deletion using Memory Forensics
Scenario: You are tasked with the investigation of a disgruntled employee that was accused of accessing and deleting a confidential file.
Approach: Carving Artifacts for Deleted File
This approach answers the question(s):
What is the accessed file’s name?
-
-
- Confidential.txt
- Confidential.txt
-
What is the file name after being deleted?
-
-
- $R9DLA6G.txt
- $R9DLA6G.txt
-
Was the file opened? How so?
-
-
- Yes, confidential.txt.lnk file was found.
- Yes, CONFID~1.LNK was found.
- Yes, confidential.txt.lnk file was found.
-
When was the file created, accessed, modified and deleted?
-
-
- Creation: 2022-07-17 UTC+0000
- Modified: 2022-07-17 1:27:14 UTC+0000
- MFT Altered: 2022-07-17 01:28:29 UTC+0000
- Access Date: 2022-07-17 01:25-26 UTC+0000
-
Below are the detailed step-by-step analysis taken to extract valuable information from the given memory sample.
#note: Use a separate isolated machine to perform this task.
In this lab, we are going to mimic a scenario that someone opened and deleted a confidential file.
To begin, we will be creating a sample text file and name it “Credential.txt”.
We assume that the file was opened and deleted.
The image below is the creation of text file, then opening it, deleting it and finally clearing the recycle bin.
#note: When a disgruntled employee or an attacker accessed a file there is a possibility that they will delete it.
In order to proceed with the investigation, we will need to capture the volatile memory of the endpoint where the file was stored.
In our case, we will use AccessData FTK Imager.
To capture memory using this tool,
First, click the memory icon.
Next, choose the destination folder.
Optional, we can capture the “pagefile.sys” or create an “AD1 File”
Finally, hit “Capture Memory”
– –
Assuming we already have already acquired the volatile memory.
Now, we can extract the $MFT Entries found on that image.
– –
Steps:
First, we need to use a memory analysis tool.
In our case, we use Volatility with mftparser plugin.
Next, run the following syntax:
In Windows: vol.exe -f <mem_dump> –profile=<OS> mftparser –output-file=mft.txt -D <dir>
In Linux: python vol.py -f <mem_dump> –profile=<OS> mftparser –output-file=mft.txt -D <dir>
After, executing this command it will create a mft.txt inside the working directory and it extract all the $mft entries file inside mftentries directory.
Note: This syntax extract all the $mft entries found on the memory in a verbose mode. We can use also use the output body file using –output-file=body if the analyst prefer to have only a single file of the collected entries.
– –
After successfully extracting the $mft entries, we can then search for the file of interest using a search tool.
We can perform this task by runnin the following syntax: findstr -i “confidential” mftentries\*.dmp
In Windows: findstr -i “sometext” dir\*.dmp
In Linux: grep -i “sometext” dir
Now, we can see that the keyword we searched was found at $mft entry file.0x266cdc00.data0.dmp
– –
Now, we found the string of interest we can now proceed to Step 4: Digging Deep.
After performing string search to the extracted $mft entries, we can now proceed to dig deeper with our investigation.
Since the keyword we searched was found in one of the address inside mftentries directory.
We have 2 option to view the data of this entry:
– –
Option 1: We can use Volatility mftparser with -o (offset) option to dump the data in our terminal.
We can run the following syntax to dump the data:
In Windows: vol.exe -f <mem_dump> –profile=<OS> mftparser -o <offset_addr>
In Linux: python vol.py -f <mem_dump> –profile=<OS> mftparser -o <offset_addr>
#note: Copy the offset address from the result of findstr command.
– –
Option 2: We can use a string extracting tool like BinTexT to view the data inside.
We can do Option 2 by dragging the $mft entry to text extraction tool like BinTexT as seen from the previous step.
– –
After performing Option 1, we can now see the data inside the target $mft entry.
We can also see the file name after being deleted.
From here, we can then answer the question: “What is the file name after being deleted?” A: $R9DLA6G.txt
From here, we can then answer the question: “When was the file accessed, modified and deleted?” A:
- Creation: 2022-07-17 UTC+0000
- Modified: 2022-07-17 1:27:14 UTC+0000
- MFT Altered: 2022-07-17 01:28:29 UTC+0000
- Access Date: 2022-07-17 01:25-26 UTC+0000
From the previous step, we identified the file name after it was deleted and the date/time artifacts
Now, in this step we will answer the question:
“Was the file opened? How so?”
“What is the accessed file’s name?”
To do this task,
– –
First, we need to open the mft.txt which contains the verbose mode of $mft entries extraction.
Next, we will search for the file name itself.
In our case, we are interested with the string “Confidential” since it gives us a result when finding strings from the extracted $mft entries.
– –
After a few search, we land of this data: CONFID~1.LNK and Confidential.txt.lnk
From this data, we can see the file name Confidential.txt and .lnk file which is a shortcut file created when the file was opened.
Using the approach discussed above, we answered all of the questions needed for our investigation, including identifying the file name, the date/time of the file access and modification, locating the file name after it was deleted, and finally concluding that the file was accessed.
We can collect artifacts useful for our investigation by using memory forensics.
We are not claiming or assuming that memory forensics alone can provide us with this type of evidence because there are other methods for locating these artifacts on Windows systems.
This is just one approach; depending on your situation, you can use others such as Registry, Jump List, and so on.
PS:
Why we came up with the keyword “confidential” for string search or file search?
There are many ways for example, communicating with the file owner and use the information to start triage.
Remember: In performing forensics you have to start on what you know and what are the data at hand.
