adam's notes

Disk and File System Use

  • a file system stores metadata about when files were created, accessed, and modified
    • analyzing this can help identify suspicious activity and create a timeline of events

Staging Areas and Data Exfiltration

  • In a data exfiltration attack, malware can use several different techniques to stage data before exfiltration
    • e.g., temporary files and folders, user profiles, masking data as log files, creating alternate data streams (ADS) and the Recycle Bin
    • data is often compressed and encrypted
  • files stored in system folders or root are suspicious

File and File System Viewers

  • Windows dir command has advanced functionality for file system analysis:
    • /Ax filters all file/folder types that match the given parameter x
      • e.g., dir /AH displays only hidden files and folders
    • /Q displays file ownership in addition to standard information
    • /R displays alternate data streams for a file
      • helps identify a malicious process attached to a legit file
  • ADS can also be audited using ADS Spy

Drive Capacity Consumption

  • Applications and processes with high drive capacity consumption may be malicious
  • malware may cache files locally for exfiltration over the network or USB
  • Use Disk Utilization tools to see:
    • a visual representation of storage space
    • a directory listing of storage space with folders and files sortable by size, extension, number of files, etc.
    • real-time analysis of information being written to a disk

File System Analysis Tools for Linux

lsof retrieves a list of all files currently open on the OS.

  • shows:
    • process ID for the process that has the file open
    • owner of the process
    • size of the file
    • file’s local or network address
    • file’s TCP state
    • file’s access mode

df command displays information about disk space use by all mounted file systems and how much space is available for each.

du command displays disk space used by each directory in a specified directory.

  • e.g., to identify how large the /var/log/ folder is
    • du /var/log

Cryptography Tools

  • if a disk or file system is encrypted
    • examiner may nee a decryption key to access
  • encryption could also be applied to the file
  • cryptography analysis tools can determine the type of encryption algorithm used and assess the strength of the key
  • on a live system, may be possible to recover a key from system memory

Graph View

Backlinks