Difference between pages "WinFE" and "Malware"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Resources:)
 
(HackingTeam)
 
Line 1: Line 1:
{{Infobox_Software |
+
'''Malware''' is a short version of '''Malicious Software'''.
  name = Windows Forensic Environment |
+
  maintainer = [[Windows Forensic Environment Project]] |
+
  os = {{Windows}} |
+
  genre = {{Live CD}} |
+
  license = unknown |
+
  website = http://winfe.wordpress.com |
+
}}
+
  
 +
Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.
  
'''Windows Forensic Environment''' - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
+
== Virus ==
                                             
+
A computer program that can automatically copy itself and infect a computer.
== Windows Forensic Environment ("WinFE") ==
+
  
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft [http://www.twine.com/item/113421dk0-g99/windows-fe].  WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
+
== Worm ==
It works similar to Linux forensic CDs that are configured not to mount media upon booting. 
+
A self-replicating computer program that can automatically infect computers on a network.
However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
+
WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
+
  
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder [http://reboot.pro].
+
== Trojan horse ==
+
A computer program which appears to perform a certain action, but actually performs many different forms of codes.
Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:
+
* X-Ways Forensics [http://www.x-ways.net],
+
* AccessData FTK Imager [http://www.accessdata.com],
+
* Guidance Software Encase [http://www.guidancesoftware.com],
+
* ProDiscover [http://www.techpathways.net],
+
* RegRipper [http://www.RegRipper.wordpress.com].
+
  
A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling [http://www.ramsdens.org.uk/].  Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.
+
== Spyware ==
 +
A computer program that can automatically intercept or take partial control over the user's interaction.
  
== Technical Background and Forensic Soundness ==
+
== Exploit Kit ==
 +
A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits]. Often utilizing a drive-by-download.
  
Windows FE is based on the modification of just two entries in the Windows Registry.
+
=== Drive-by-download ===
The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".  
+
Any download that happens without a person's knowledge [http://en.wikipedia.org/wiki/Drive-by_download].
By doing this the Mount-Manager service will not automatically mount any storage device.
+
The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
+
While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
+
  
The latest modification (New for Windows 8) to the registry is SAN policy 4.  SAN policy 4 Makes internal disks offline. Note. All external disks and the boot disk are online.
+
== Rootkit ==
 +
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.
  
Testing has shown that mounting a '''volume''' in READ ONLY mode will write a controlling code to the disk, whereas mounting a '''disk''' in READ ONLY mode will not make any changes.  Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent.  Various issues with Linux Boot CDs can be compared [http://www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues] ).
+
== See Also ==
 +
* [[Malware analysis]]
  
== Resources: ==
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Malware Wikipedia: malware]
 +
* [http://en.wikipedia.org/wiki/Drive-by_download Wikipedia: drive-by-download]
 +
* [http://www.viruslist.com/ Viruslist.com]
 +
* [http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares Androguard]: A list of recognized Android malware
  
* Windows Forensic Environment blog:  [http://www.winfe.wordpress.com]
+
=== Analysis ===
* Article on Win FE in Hakin9 magazine 2009-06 [http://hakin9.org]  
+
* [http://sempersecurus.blogspot.ch/2013/12/a-forensic-overview-of-linux-perlbot.html A Forensic Overview of a Linux perlbot], by Andre M. DiMino, December 17, 2013
* step-by-step Video to create a Win FE CD [http://www.youtube.com/v/J3T5wnPiObI]
+
* [http://research.zscaler.com/2014/02/probing-into-flash-zero-day-exploit-cve.html Probing into the Flash Zero Day Exploit (CVE-2014-0502)], by Krishnan Subramanian, February 21, 2014
* WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).aspx]
+
* [http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf Operation Windigo], by Olivier Bilodeau, Pierre-Marc Bureau, Joan Calvet, Alexis Dorais-Joncas, Marc-Étienne M.Léveillé, Benjamin Vanheuverzwijn, March, 2014
* Windows Automated Installation Kit: [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
+
* [http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx Security Advisory 2953095: recommendation to stay protected and for detections\, by Chengyun Chu, Elia Florio, March 24, 2014
* WinFE Write Protect tool [http://www.ramsdens.org.uk/]
+
 
* WinFE Online Training course [http://courses.dfironlinetraining.com/windows-forensic-environment]
+
=== Exploit Kit ===
 +
* [http://blog.zeltser.com/post/1410922437/what-are-exploit-kits What Are Exploit Kits?], by [[Lenny Zeltser]], October 26, 2010
 +
* [http://nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/ The four seasons of Glazunov: digging further into Sibhost and Flimkit], by Fraser Howard, July 2, 2013
 +
* [http://www.kahusecurity.com/2013/kore-exploit-kit/ Kore Exploit Kit], Kahu Security blog, July 18, 2013
 +
 
 +
=== Rootkit ===
 +
* [http://en.wikipedia.org/wiki/Rootkit Wikipedia: Rootkit]
 +
* [http://articles.forensicfocus.com/2013/11/22/understanding-rootkits/ Understanding Rootkits: Using Memory Dump Analysis for Rootkit Detection], by Dmitry Korolev, Yuri Gubanov, Oleg Afonin, November 22, 2013
 +
 
 +
=== HackingTeam ===
 +
* [https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/ Police Story: Hacking Team’s Government Surveillance Malware], by Morgan Marquis-Boire, John Scott-Railton, Claudio Guarnieri, and Katie Kleemola, June 24, 2014
 +
* [http://www.securelist.com/en/blog/8231/HackingTeam_2_0_The_Story_Goes_Mobile HackingTeam 2.0: The Story Goes Mobile], Kaspersky Lab, June 24, 2014
 +
* [http://reverse.put.as/wp-content/uploads/2014/06/ShakaCon6-FuckYouHackingTeam.pdf Fuck you Hacking Team], by fG! at ShakaCon 2014, June 2014
 +
 
 +
 
 +
[[Category:Malware]]

Revision as of 03:12, 5 July 2014

Malware is a short version of Malicious Software.

Malware is software used for data theft, device damage, harassment, etc. It is very similar to computer malware. It installs things such as trojans, worms, and botnets to the affected device. It is illegal to knowingly distribute malware.

Virus

A computer program that can automatically copy itself and infect a computer.

Worm

A self-replicating computer program that can automatically infect computers on a network.

Trojan horse

A computer program which appears to perform a certain action, but actually performs many different forms of codes.

Spyware

A computer program that can automatically intercept or take partial control over the user's interaction.

Exploit Kit

A toolkit that automates the exploitation of client-side vulnerabilities, targeting browsers and programs that a website can invoke through the browser [1]. Often utilizing a drive-by-download.

Drive-by-download

Any download that happens without a person's knowledge [2].

Rootkit

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to an operating system.

See Also

External Links

Analysis

Exploit Kit

Rootkit

HackingTeam