Windows Forensic Analysis Toolkit by Harlan Carvey

Author:Harlan Carvey
Language: eng
Format: epub
ISBN: 9781597497282
Publisher: Elsevier Inc.
Published: 2012-01-26T16:00:00+00:00

Figure 5.22 Values in RegIdleBackup key, via WRR.

We can then use the GUID value to navigate to the TaskCache\Tasks key, and locate the subkey with the ID GUID as its name. Beneath this key, you will find the values illustrated in Figure 5.23.

Figure 5.23 Values beneath a TaskCache\Tasks\GUID key.

Most notable are the “Path” and “Hash” values. The Path value clearly provides the path to the scheduled task file. The Hash value is a bit more interesting, as the hash is of the XML task file itself and used to verify the integrity of that file. Bruce Dang (of Microsoft) gave a presentation at the 27th Chaos Communications Congress (the video of which is available online at http://www.vimeo.com/18225315), during which he discussed Microsoft’s efforts in analyzing the Stuxnet malware. During that presentation, Bruce stated that the hash algorithm used at the time to identify changes in the scheduled task files was the CRC-32 algorithm, for which it is very easy to generate collisions. Analysis of the malware determined that one of the vulnerabilities it would exploit was to modify a scheduled task and pad the file so that when the Task Scheduler verified the task’s hash prior to running it, the hash would match what was stored in the Registry. According to Bruce, Microsoft decided to replace the algorithm with the SHA-256 algorithm; this fix appears to have been provided in security update MS10-092, found online at http://support.microsoft.com/kb/2305420. Note that the KnowledgeBase article states that any scheduled tasks that have already been corrupted by malware may be validated following the installation of this security update; as such, the article recommends that the actions associated with the tasks be verified, which is excellent advice.

Tip: Wow6432Node

As long as you’re examining a Software hive, don’t forget to take a look in the Wow6432Node key. This key is used for Registry redirection of calls from 32-bit applications on 64-bit systems, and can contain some very useful information. For example, I’ve found values within the \Wow6432Node\Microsoft\Windows\CurrentVersion\Run key in the Software hive from a 64-bit Windows 7 system, and these values were not also included in the \Microsoft\Windows\CurrentVersion\Run key. I’ve also found a significant number of subkeys beneath the \Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall key, indicating applications and updates that had been installed on the system.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.