Velociraptor Deployment

NTFS Overview

NTFS is the file system in all modern Windows operating systems.
Feature packed with a design focused on storage optimization and resilience.
NTFS implements Journalling to record metadata changes to track state and integrity of the file system.
Allows for recovery after system crashes to avoid data loss
File System objects referenced in a Master File Table (MFT)

New Technology File System

In NTFS, the Master File Table (MFT) is at the heart of the file system. A structured database that stores metadata entries for every file and folder.
Every object gets an entry within the MFT. Each entry is usually 1024 bytes long. Contains a series of attributes that fully describe the object.

MFT entries contain attributes

File entry examples

$STANDARD_INFORMATION
$FILE_NAME (Windows long name)
$FILE_NAME (short name)
$DATA
$DATA (alternate data stream sometimes)

Folder entry examples

$STANDARD_INFORMATION
$FILE_NAME (Windows long name)
$FILE_NAME (short name)
$INDEX_ROOT
$INDEX_ALLOCATION (sometimes)

NTFS Analysis

Velociraptor offers a number of plugins to access detailed information about NTFS:

parse_mft(): parses each MFT entry and returns high level metadata about the entry - including reconstruct the full path of the entry by traversing parent MFT entries.
parse_ntfs(): Given an MFT ID this function will display information about the various streams (e.g. $DATA, $Filename etc)
parse_ntfs_i30(): This scans the $i30 stream in directories to recover potentially deleted entries.

Finding suspicious files

Parse the MFT using Windows.NTFS.MFT

Common DFIR use case is finding files
- File name
- Path
- File type
- Content
Velociraptor plugins
- glob
- parse_mft
- yara
- other content based plugins

Windows.Forensics. FilenameSearch

Apply yara on the MFT
- fast yara
- simple string based
- filename / top level folder only
- comma separated
Crude and less control
Verbose results

Windows.NTFS.MFT

Parses MFT
Easy to use
Filters
- Path
- File name
- Drive
- Time bounds
- Size
Performance optimised

Exercise - Generate test data

To automatically prep your machine run this script:

### NTFS exercise setup

## 1. download some files to test various content and add ADS to simulate manual download from a browser

$downloads = (
    "https://live.sysinternals.com/PsExec64.exe",
    "https://live.sysinternals.com/procdump64.exe",
    "https://live.sysinternals.com/sdelete64.exe"
)

foreach ( $url in $downloads){
    "Downloading " + $Url
    $file = Split-Path $Url -Leaf
    $dest = "C:\PerfLogs\" +$file
    $ads =  "[ZoneTransfer]`r`nZoneId=3`r`nReferrerUrl=https://18.220.58.123/yolo/`r`nHostUrl=https://18.220.58.123/yolo/" + $file + "`r`n"

    Remove-Item -Path $dest -force -ErrorAction SilentlyContinue
    Invoke-WebRequest -Uri $Url -OutFile $dest -UseBasicParsing
    Set-Content -Path $dest":Zone.Identifier" $ads
}

More setup

## 2.Create a PS1 file in staging folder (any text will do but this is powershell extension)
echo "Write-Host ‘this is totally a resident file’" > C:\Perflogs\test.ps1

## 3.Modify shortname on a file
fsutil file setshortname C:\PerfLogs\psexec64.exe fake.exe

## 4. Create a process dumpOpen calculator (calc.exe)
calc.exe ; start-sleep 2
C:\PerfLogs\procdump64.exe -accepteula -ma win32calc C:\PerfLogs\calc.dmp
get-process | where-object { $_.Name -like "*win32calc*" } | Stop-Process

## 5. Create a zip file in staging folder
Compress-Archive -Path C:\PerfLogs\* -DestinationPath C:\PerfLogs\exfil.zip -CompressionLevel Fastest

## 6. Delete dmp,zip and ps1 files - deleted file discovery is important for later!
Remove-Item -Path C:\PerfLogs\*.zip, C:\PerfLogs\*.dmp, C:\PerfLogs\*.ps1

Download and copy to staging folder C:\PerfLogs\
Add ADS to simulate Mark of the Web

Create a PS1 file in staging folder (any text will do but this is powershell extension)

echo "Write-Host ‘this is totally a resident file’" > C:\Perflogs\test.ps1

Modify short name on a file

fsutil file setshortname C:\PerfLogs\psexec64.exe fake.exe

Create a process dump Open calculator (calc.exe)

C:\PerfLogs\procdump64.exe -accepteula -ma calc C:\PerfLogs\calc.dmp

Create a zip file in staging folder - open C:\Perflogs in Explorer highlight and select: Send to > Compressed (zipped) folder. Delete dmp.zip and ps1 files - deleted file discovery is important for later!

Remove-Item -Path C:\PerfLogs\*.zip, C:\PerfLogs\*.dmp, C:\PerfLogs\*.ps1

Exercise

Find contents of C:\Perflogs
Review metadata of objects
Explore leveraging filters
- to target specific files or file types
- to find files limited to a time frame
Can you find the deleted files?
- You may get lucky and have an unallocated file show.
- Try Windows.Forensics.Usn with filters looking for suspicious extensions in our staging location!

The USN journal

Update Sequence Number Journal or Change journal is maintained by NTFS to record filesystem changes.
Records metadata about filesystem changes.
Resides in the path $Extend$UsnJrnl:$J

USN Journal

Records are appended to the file at the end
The file is sparse - periodically NTFS will remove the range at the start of the file to make it sparse
Therefore the file will report a huge size but will actually only take about 30-40mb on disk.
When collecting the journal file, Velociraptor will collect the sparse file.

Exercise - Windows.Forensics.Usn

Target C:\PerfLogs with the PathRegex field.

typically the USN journal only records filename and MFTId and ParentMFTId record. Velociraptor automatically reconstructs the expected path so the user can filter on path.
This artifact uses FullPath results with “/”.

Exercise - UsnJ solution

But these are simple to detect when you know what to look for!

Advanced NTFS: Alternate Data Stream

Most browsers attach an ADS to files downloaded from the internet.
Use the VFS viewer to view the ADS of downloaded files.
Use ADS Hunter to discover more interesting ADS
Use Windows.Analysis. EvidenceOfDownload to identify downloaded files and unpacked ZIP files.