Windows Forensic Analysis Toolkit by Harlan Carvey
Author:Harlan Carvey
Language: eng
Format: epub
ISBN: 9781597497282
Publisher: Elsevier Inc.
Published: 2012-01-26T16:00:00+00:00
Figure 5.22 Values in RegIdleBackup key, via WRR.
We can then use the GUID value to navigate to the TaskCache\Tasks key, and locate the subkey with the ID GUID as its name. Beneath this key, you will find the values illustrated in Figure 5.23.
Figure 5.23 Values beneath a TaskCache\Tasks\GUID key.
Most notable are the “Path” and “Hash” values. The Path value clearly provides the path to the scheduled task file. The Hash value is a bit more interesting, as the hash is of the XML task file itself and used to verify the integrity of that file. Bruce Dang (of Microsoft) gave a presentation at the 27th Chaos Communications Congress (the video of which is available online at http://www.vimeo.com/18225315), during which he discussed Microsoft’s efforts in analyzing the Stuxnet malware. During that presentation, Bruce stated that the hash algorithm used at the time to identify changes in the scheduled task files was the CRC-32 algorithm, for which it is very easy to generate collisions. Analysis of the malware determined that one of the vulnerabilities it would exploit was to modify a scheduled task and pad the file so that when the Task Scheduler verified the task’s hash prior to running it, the hash would match what was stored in the Registry. According to Bruce, Microsoft decided to replace the algorithm with the SHA-256 algorithm; this fix appears to have been provided in security update MS10-092, found online at http://support.microsoft.com/kb/2305420. Note that the KnowledgeBase article states that any scheduled tasks that have already been corrupted by malware may be validated following the installation of this security update; as such, the article recommends that the actions associated with the tasks be verified, which is excellent advice.
Tip: Wow6432Node
As long as you’re examining a Software hive, don’t forget to take a look in the Wow6432Node key. This key is used for Registry redirection of calls from 32-bit applications on 64-bit systems, and can contain some very useful information. For example, I’ve found values within the \Wow6432Node\Microsoft\Windows\CurrentVersion\Run key in the Software hive from a 64-bit Windows 7 system, and these values were not also included in the \Microsoft\Windows\CurrentVersion\Run key. I’ve also found a significant number of subkeys beneath the \Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall key, indicating applications and updates that had been installed on the system.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
COM, DCOM & ATL | Device Drivers |
EPOC-Symbian | Microsoft Windows Registry |
Novell Netware | Operating Systems Theory |
Unicode | Unix |
Win32 API |
Deep Learning with Python by François Chollet(11921)
Hello! Python by Anthony Briggs(9384)
OCA Java SE 8 Programmer I Certification Guide by Mala Gupta(9352)
The Mikado Method by Ola Ellnestam Daniel Brolund(9321)
Dependency Injection in .NET by Mark Seemann(8866)
Algorithms of the Intelligent Web by Haralambos Marmanis;Dmitry Babenko(7858)
Test-Driven iOS Development with Swift 4 by Dominik Hauser(7348)
Grails in Action by Glen Smith Peter Ledbrook(7303)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(7124)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(5968)
Kotlin in Action by Dmitry Jemerov(4653)
Practical Vim (for Kathryn Amaral) by Drew Neil(3732)
Cracking the GRE Premium Edition with 6 Practice Tests, 2015 (Graduate School Test Preparation) by Princeton Review(3600)
Linux Device Driver Development Cookbook by Rodolfo Giometti(3446)
Learn Windows PowerShell in a Month of Lunches by Don Jones(3252)
Learning Java by Patrick Niemeyer & Daniel Leuck(2873)
Learning React: Functional Web Development with React and Redux by Banks Alex & Porcello Eve(2844)
Becoming a Dynamics 365 Finance and Supply Chain Solution Architect by Brent Dawson(2834)
Microservices with Go by Alexander Shuiskov(2622)