Forensic : Extraire des fichiers depuis la table MFT avec Volatility (Part 1) [EN]

in #security7 years ago

digitalForensic.png

In terms of digital forensic, there are now many tools to extract valuable informations directly from the memory (RAM) of a computer / server. For example, it's possible to extract user password hashs, Bitlocker volume encryption keys, web browsing history, etc.
It's also possible to extract directly from the memory, complete files, in particular files stored in the MFT table.

What is the MFT Table ?

The NTFS file system is widely used by devices running Windows OS. With NTFS everything is stored as file, metadata and other registry included. The Master File Table (MFT) located at the root of an NTFS partition is the file containing information about all other elements in the partition. It includes the name, type, timestamp and location of each file and folder. By default, each entry in the MFT table stores maximum 1024 bytes (But can be configured to store up to 4096 bytes). A file whose size is less than or equal to 1024 bytes will be stored directly in the table (named "resident" file), if it exceeds 1024 bytes the table will only contain the information of its location (named "non-resident" file).

Volatility : MFTParser plugin

Volatility is a python framework that allow memory dump analysis. It benefits from many plugins, allowing extraction of executable and password, malware analysis, ... Volatility is easy to use, simple and accessible. To learn how to master the tool, you can, for example, realize the challenges of the root-me.org site (Forensic category).
The plugin that interests us for retrieving entries from the MFT table is "MFTParser".

1. Memory dump identification

Before starting the analysis of our memory dump, it is better to identify it. To do this, we use the following command:

user@kali:~# volatility -f mydump imageinfo

-f specify memory dump name and path.
imageinfo plugin volatility used.

VolatilityProfile.PNG

Usable profile : Win7SP1x86_23418, Win7SP0x86 et Win7SP1x86.

2. Extracting MFT entries

MFT table entries are extracted using the "MFTParser" plugin. Using the following for example :

user@kali:~# volatility -f dump --profile=Win7SP1x86_23418 mftparser >> mfttable.txt

--profile specify memory dump name and path.
mftparser plugin volatility used.
>> mfttable.txt redirect output in "mfttable.txt" file.

3. "Resident" Data recovery

"mfttable.txt" file now contains information about the "resident" and "non-resident" entries from MFT table stored in memory. One possibility to find "Resident" data is to make a search on "0000000000:".
Example of an entry corresponding to a "recent file" shortcut:

ResidentFile.PNG

The analysis allows us to find the complete path of a recently opened file: "C: \Users\info\Desktop\flag.png" and why not extract this image using other volatility plugins.

#cybersecurity #volatility #technology #forensic
7 years ago in #security by
$0.02
  • Past Payouts $0.02, 0.00 TRX
  • - Author $0.02, 0.00 TRX
  • - Curators $0.00, 0.00 TRX
3 votes
Reply 0

Coin Marketplace

STEEM 0.19
TRX 0.15
JST 0.029
BTC 63744.49
ETH 2639.10
USDT 1.00
SBD 2.77