1 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Cache  Me  If  You  Can! Matt  Bromiley Senior  Consultant,  Mandiant 

2 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Agenda • $  whoami • Why  Does  this  Matter? • Windows  Application  Experience  and  Compatibility • Forensic  Shim  Artifacts • RecentFileCache • ShimCache • AmCache • Wrapping  Up 

3 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       $  whoami 

4 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       $  whoami • Currently  a  Senior  Consultant  with  Mandiant • 4+  years  experience  with  a  focus  on  data  breaches,   incident  response,  network  security  monitoring,  and   digital  forensics • Work  with  clients  from  small,  regional  shops  to   multinational  Fortune  50s • SANS  FOR508  TA • LOVE  to  share,  learn,  and  help  others  improve  (while   improving  myself!) Tweet/Git/Blog [@]505Forensics[.com] 

5 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Why  Does  This  Matter? 

6 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Why  Does  This  Matter? “Malware  Can  Hide,  But  It  Must  Run” -­SANS 

7 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Why  Does  This  Matter?  -­ “Malware  Can  Hide,  But  It  Must  Run” • Malware  authors  are  continually  improving  the  methods  by  which  they  hide  their  malware • Persistence  mechanisms  are  becoming  a  study  unto  themselves,  due  to  the  intricacies  of  various   operating  systems • Environments  are  now  running  multiple  versions  of  multiple  operating  systems • How  can  we  scale  our  analysis  to  focus  on  artifacts  that  matter? • Which  artifacts  should  we  be  examining,  and  how  long  do  we  have  value? 

8 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Why  Does  This  Matter? Forensic  Artifacts Time  Since  Incident 

9 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Why  Does  This  Matter?  – Time  Is  Your  Enemy • IR  usually  triggers  on  an  event,  and  we  backtrack  in  time. • As  time  increases,  artifacts  that  are  available  may  decrease • Logs  roll • Users  gonna use • Shutdowns  and  Reboots • Re-­deployment • Destroyed 

10 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Why  Does  This  Matter?  – Add  to  Your  Arsenal • Forensicators need  to  have  as  much  information  as  possible • Cache  entries  can  also  tell  us  what  else happened  before/after  the  malware  was  run • The  goal  is  to  understand  compromise;;  paint  a  picture  of  attacker  activity • Windows  *caches  help  to  understand  more about  what  happened  when • We  are  constantly  peeking  back  in  time • We  need  artifacts  that  can  hopefully  stand  the  test  of  time  as  well! 

11 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Windows  Application  Experience  and  Compatibility 

12 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Windows  Application  Experience  and  Compatibility • Microsoft  Windows  Application  Compatibility  Infrastructure,  aka  Shim  Infrastructure • Designed  to  help  mitigate  software  “breaking”  due  to  Windows  “upgrades”  or  “improvement” • Implemented  via  API  hooking;;  redirects  API  calls  from  Windows  to  alternative  code • Redirects  to  shim  code • Allows  for  applications  with  older  code  dependencies  to  run  without  performance/software  issues   to  the  user 

13 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Windows  Application  Experience  and  Compatibility  (cont.) Application  without  Shims: Application  with  Shims: Source:   https://technet.microsoft.com/en-­us/library/dd837644(v=ws.10).aspx 

14 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Windows  Application  Experience  and  Compatibility  (cont.) Expected  Shim  activity: • When  process  creation  begins,  Windows  checks  for  application  compatibility  flags.  If  present,   then  the  application  compatibility  databases  are  references  through  the  shim  engine • Parse  through  shim  databases  for  additional  verification  of  compatibility  needs • If  required,  load  the  shim  engine  DLL 

15 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Forensic  Shim  Artifacts RecentFileCache 

16 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       RecentFileCache • Located  at  C:\Windows\AppCompat\Programs\RecentFileCache.bcf • Typically  available  on  versions  older  than  Windows  8  &  10 • Temporary  storage  of  a  recent  list  of  executed  applications • What  may  cause  a  program  to  be  stored  in  here? • “New”  programs  (downloaded/copied) • First  runs  of  known-­programs • Volatility • HIGHLY  VOLATILE • Cleared  when  the  Application  Experience  ProgramDataUpdater is  executed,  potentially   storing  long-­term 

17 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       RecentFileCache (cont.) 

18 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       RecentFileCache -­ Parsing • Harlan  Carvey has  written  a  Perl  carver • https://github.com/keydet89/Tools/blob/master/source/rfc.pl • Patrick  Olsen  has  written  a  Python  carver • https://github.com/sysforensics/RecentFileCacheParser Example: python rfcparse.py –f /path/to/RecentFileCache.bcf c:\windows\syswow64\unregmp2.exe c:\program files (x86)\windows media player\wmpshare.exe 

19 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       RecentFileCache – Parsing  (cont.) • Lance  Mueller  also  created  a  EnCase v7  EnScript that  can  extract  RecentFileCache data  from   memory  images,  unallocated  space,  or  find  the  file  itself • Available  at  http://www.forensickb.com/2015/04/encase-­v7-­enscript-­to-­carve.html 

20 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache 

21 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache • Located  within  the  SYSTEM  registry  hive • Windows  XP-­(ish):  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache • !Windows  XP(-­ish):  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache • Contains  program  execution/shim  details;;  more  extensive  than  RecentFileCache • Lower  volatility  than  RecentFileCache;;  can  store  up  to  1024  entries 

22 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Windows  XP • Entries  are  created  when  a  new  file  is  executed,  or   application  is  modified  and  executed. • Registry  entries  are  552  bytes  in  size;;  registry  will   contain  max  96  entries • Entry  has  a  400  byte  header  that  begins  with   0xDEADBEEF • Header  also  contains   • Number  of  entries  in  record • Indices  used  by  cache  manger 

23 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Windows  XP  (cont.) • Entries  contain • Full  path  of  executable • $SI  Last  Modified  Time • File  Size • Last  File  Update  Time • Winlogon saves  cache  contents  to  registry  during   system  shutdown • Cache  entries  may  be  recovered  from  unallocated   registry  or  disk  space • Yes,  you  can  carve  for  these! Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf 

24 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Windows  Server  2003 • Registry  path  changes • …\AppCompatCache\AppCompatCache • Registry  entries  are  24  or  32  bytes  in  length;;  registry   will  contain  max  512  entries • Entry  has  a  8  byte  header  that  begins  with   0xBADC0FFE,  and  contains  number  of  entries • Entries  will  be  updated  for  new  executables,  or  existing   executables  with  path  changes/modifications • Differences  between  32-­ and  64-­bit;;  important  to  note   for  parsing!! Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf 

25 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Windows  Vista/Server  2008 • Registry  entries  are  24  or  32  bytes  in  length • Cache  contains  up  to  1024  entries • Two  4-­byte  flags  added  (dwInsertFlags and   dwFlags) • File  size  removed • Applications  may  now  be  added  to  cache  without   execution! • Windows  Explorer  may  parse  EXE  metadata  and   applications  are  added  to  cache Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf 

26 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Windows  7  and  Server  2008  R2 • Registry  entries  are  32  or  48  bytes  in  length • Cache  contains  up  to  1024  entries • Entry  has  a  128-­byte  header  that   begins  with  0xBADC0FEE,  and   contains  number  of  cache  entries • Non-­executed  applications  may  still  be   recorded;;  however  we  can  detect   execution • Only  timestamps  recorded  are  still   $STANDARD_INFORMATION  last   modified  times 

27 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Windows  7  and  Server  2008  R2  (cont.) • New  cache  updates  now  include  a  flag  that   may  tell  if  application  was  executed  or  not • dwInsertFlags may  be  written  with  a   value  of  2,  indicating  execution • dwShimFlags relate  to  Compatibility   Database • qwBlob*  values  may  relate  to   execution  of  installers Reference:  https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf 

28 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache -­ Parsing • Multiple  tools  available  to  parse  ShimCache • Mandiant’s own  ShimCacheParser tool • https://github.com/mandiant/ShimCacheParser • Can  parse  multiple  file  outputs: • Registry  hives • Extracted  keys • Current  (live)  system • MIR  XML  files • Output  will  be  returned  with  most-­recent  execution  first 

29 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Parsing  (cont.) • ShimCacheParser Usage: python ShimCacheParser.py –i -o .appcompat.out [+] Reading registry hive: SYSTEM... [+] Found 32bit Windows 7/2k8-R2 Shim Cache data... [+] Found 32bit Windows 7/2k8-R2 Shim Cache data... [+] Writing output to .appcompat.out... 

30 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ShimCache – Parsing  (cont.) • AppCompatCacheParser by  Eric  Zimmerman • Available  at  http://binaryforay.blogspot.com/p/software.html • Can  parse  live  system  or  dead  hives • Usage: AppCompatCacheParser.exe –s -h 

31 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       AmCache 

32 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       AmCache • On  Windows  8  &  10/Server  2012,  RecentFileCache.bcf/ShimCache is  replaced  with  ‘AmCache’   hive • Location:  C:\Windows\appcompat\Programs • Now  a  Windows  NT  Registry  (REGF)  hive 

33 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       AmCache (cont.) • AmCache ups  the  forensic  game  significantly! • Now  records: • SHA-­1  hash! • PE  Header  fields • Multiple  timestamps  (last  modified,  created) • Full  path  to  file • File  version • File  Size • Product  Name • Program  ID • Increased  forensic  value  for  investigators 

34 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       AmCache (cont.) • Records  are  grouped  by  Volume  GUIDs • You  can  compare  registry  “folders”   to  GUIDs  found  under   SYSTEM\MountedDevices • Root  >  File  >  Volume  GUID • Volume  GUID  folders  contain  entries;;   each  entry  represents  a  program  within   the  AmCache • Hexadecimal  values  +  17,  100,  and   101 • E.g.  101  represents  the  SHA-­1  of   the  file 

35 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       AmCache -­ Parsing • Eric  Zimmerman  has  developed  AmcacheParser • Available  at  https://www.dropbox.com/s/1letm7lll3wj1ca/AmcacheParser.zip?dl=1 • Eric’s  tool  also  incorporates  whitelist/blacklist  capabilities • Usage: AmcacheParser.exe –s -f [-w ] [-b ] 

36 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       AmCache – Parsing  (cont.) • Willi  Ballenthin has  created  a  Python  script  to  parse  the  AmCache hive • Available  at  https://github.com/williballenthin/python-­ registry/blob/master/samples/amcache.py • Yogesh Khatri  has  created  EnCase v6  and  v7  parsers • Outputs  to  the  console • Available  at  swiftforensics.com 

37 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Analysis  Techniques 

38 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Analysis  Techniques • Case  Study 1. Imagine:  SOC  receives  an  alert  of  malicious  traffic  originating  from  a  user  workstation. 2. IR  team  collects  targeted  artifacts  from  the  host,  including  registry  hives  and  event  logs 3. Event  log  parsing  shows  multiple  A/V  errors  on  the  file  C:\Windows\oSCMpGpk.exe 1. Administrator  user  logs  in,  disables  A/V,  the  errors  stop 2. We  have  a  filename  as  a  pivot  point 4. Analyst  parses  ShimCache data  from  registry  to  examine  execution  artifacts 

39 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Analysis  Techniques  (cont.) • ShimCache Analysis  Techniques 

40 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Wrapping  Up 

41 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Wrapping  Up • As  forensic  investigators,  we  are  constantly  seeking  new  artifacts  to  help  us  paint  the  picture  of   activity  on  a  system • Artifacts  are  temporal;;  some  are  extremely  volatile,  others  have  a  longer  “shelf-­life” • The  various  *caches  available  since  Windows  XP  help  provide  analysts  another  source  of   information  to  profile  suspicious  activity • There  are  multiple  parsers  available  for  each;;  pick  which  works  best  for  you! 

42 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       Shoulders  of  Giants… SANS  – http://www.sans.org Tools Mandiant ShimCache Whitepaper  -­ https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Eric  Zimmerman  -­ http://binaryforay.blogspot.com/ Blogs Corey  Harrell  -­ http://journeyintoir.blogspot.com Harlan  Carvey -­ http://windowsir.blogspot.com Yogesh Khatri  -­ http://www.swiftforensics.com 

43 ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       ©    Mandiant,   a  FireEye  Company.    All  rights  reserved.       THANK  YOU!