5:28 p.m.
Hello all,
Just wanted to let people know I have released a USN Journal record parser plugin for
volatility.
https://github.com/tomspencer/volatility/tree/master/usnparser
For anyone who wants a refresher on the USN journal and its forensic significance, I
recommend these
<http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html> sites
<http://securitybraindump.blogspot.com/2011/07/dear-diary-today-i-was-infected-with.html>
. The USN journal has been very useful to us in a variety of circumstances, so I highly
recommend including it in your work/timelining flow if you dont already. Ive even seen
situations where journal records from external NTFS volumes persist in memory even after
the device is removed, but those results have been inconsistent.
This plugin should work on any version of Windows that does USN journaling (Vista/2008 and
up, XP SP3 if you specifically turn it on), and it should play well with Unicode file
names including calling out special Unicode characters like directional changes.
For an example of calling out direction changes:
2014-04-16
20:51:23.116,0x257L,0x3L,0x14de3L,0x3L,0x4806360L,"utf-canary.<RLO>txt.scr",RENAME_NEW_NAME
& CLOSE,ARCHIVE
The <RLO> indicates a Unicode Right-To-Left Override character. This means that
although the actual filename extension was txt.scr, a screen saver filetype which is
expected to be an executable, it would have appeared to the user as utf-canary.rcs.txt
which most users would expect to be a text file they could safely click.
This is my first volatility plugin so Id love any feedback/suggestions/questions. Based on
some feedback from MHL I'll be doing some testing to see if I should turn on timestamp
validation by default, but I'm open to other changes/additions people would like to
see.
Basic notes on the plugin are below. Enjoy!
Thanks,
Tom
A note on USN record versions. The literature I can find seems to suggest that starting
with Windows NT 6.2 families (8/2012) the OS should be using version 3 records, and this
plugin does support these records. That said, testing has shown that at least in memory,
these OSs still seem to use v2 records. As such, unless otherwise specified with the -R3
flag, this plugin will always assume v2 records.
In my testing there has been a significant number of duplicates in memory, so piping to
sort u can be effective.
Invocation example:
CSV output
$ vol.py --profile Win7SP1x64 -f Windows7SP1x64.vmem usnparser --output=csv
Volatility Foundation Volatility Framework 2.3.1
timestamp,MFTEntry,MFTEntryUSN,Parent,ParentUSN,usn#,"Filename",Reason,Attributes
2014-01-26
09:01:19.079,0x5056L,0x1L,0x7beL,0x1L,0x10f35c0L,"ngen_service.log",EXTEND &
CLOSE,ARCHIVE
2014-01-26
09:01:19.079,0x7d8L,0x86L,0x7beL,0x1L,0x10f3620L,"ngen_service.lock",CREATE
& DELETE & CLOSE,ARCHIVE
2014-01-26
09:01:19.142,0x7d8L,0x89L,0x28eL,0x1L,0x10f39d8L,"GACLock.dat",CREATE,ARCHIVE
& TEMPORARY
2014-01-26 09:01:19.142,0x7d8L,0x89L,0x28eL,0x1L,0x10f3a30L,"GACLock.dat",CREATE
& DELETE & CLOSE,ARCHIVE & TEMPORARY
....
BODY output, suitable for using with mactime
$ vol.py --profile Win7SP1x64 -f Windows7SP1x64.vmem usnparser --output=body | head
Volatility Foundation Volatility Framework 2.3.1
0|[USN JOURNAL] ngen_service.log EXTEND & CLOSE/USN: 17774016/PARENT MFT:
1982|20566|---a-----------|0|0|0|1390726879|1390726879|1390726879|1390726879
0|[USN JOURNAL] ngen_service.lock CREATE & DELETE & CLOSE/USN: 17774112/PARENT
MFT: 1982|2008|---a-----------|0|0|0|1390726879|1390726879|1390726879|1390726879
0|[USN JOURNAL] GACLock.dat CREATE/USN: 17775064/PARENT MFT:
654|2008|---a--t--------|0|0|0|1390726879|1390726879|1390726879|1390726879
0|[USN JOURNAL] GACLock.dat CREATE & DELETE & CLOSE/USN: 17775152/PARENT MFT:
654|2008|---a--t--------|0|0|0|1390726879|1390726879|1390726879|1390726879
The current version's help output (flags specific to usnparser start at "-T,
--timestamp"):
$ vol.py usnparser -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility - A memory forensics analysis platform.
Options:
-h, --help list all available options and their default values.
Default values may be set in the configuration file
(/etc/volatilityrc)
--conf-file=/home/vol/.volatilityrc
User based configuration file
-d, --debug Debug volatility
--plugins=PLUGINS Additional plugin directories to use (colon separated)
--info Print information about all registered objects
--cache-directory=/home/vol/.cache/volatility
Directory where cache files are stored
--cache Use caching
--tz=TZ Sets the timezone for displaying timestamps
-f FILENAME, --filename=FILENAME
Filename to use when opening an image
--profile=WinXPSP2x86
Name of the profile to load
-l LOCATION, --location=LOCATION
A URN location from which to load an address space
-w, --write Enable write support
--dtb=DTB DTB Address
--output=text Output in this format (format support is module
specific)
--output-file=OUTPUT_FILE
write output in this file
-v, --verbose Verbose information
--shift=SHIFT Mac KASLR shift address
-g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address
-k KPCR, --kpcr=KPCR Specify a specific KPCR address
-T, --timestamp Print timestamps instead of human-readable dates
-E, --unixtime Use Unix Epoch 32-bit timestamps instead of native
Windows 64-bit timestamps (loses subsecond accuracy).
DOES NOT imply -T above.
-C, --checktime Don't show entries with timestamps outside of unix
epoch range to reduce corrupt entries
-S, --strict Enable stricter checks on record integrity to further
reduce corrupt entries
-O, --offset Show the physical offset for each record
-R RECORDTYPE, --recordtype=RECORDTYPE
Force version of USN record (2 or 3) to search for. In
testing so far all OS's seem to use version 2 records
in memory (even 8.1/2012r2 which purport to use R3).
As such, default is R2.
-U, --unicode Show unicode (utf-8) filenames. Be aware that due to
corrupted records there will likely be strange
characters in some places. Using -C and -S can help
cut this down.
---------------------------------
Module USNParser
---------------------------------
Scans for and parses USN journal records