Sign in to follow this  
Followers 0
pssquiet

Detecting Programs Run From USB

9 posts in this topic

Suppose that an executable such as Portable Firefox is run on Computer A from a USB drive. In theory, the executable should not write to the HDD on Computer A, but rather should write only to the USB.

 

Despite this, is there any way for forensic analysis to determine that the executable was run on Computer A? If so, how could one prevent that?

0

Share this post


Link to post
Share on other sites

Depends on the operating system. Windows (and I've not used these features since Server 2000), policies can be set up in AD group policies. They are pretty granular.  I've seen system that only allow users to write to certain directories. I'd not be surprised of they accomplish this on an AD domain, now. I'd bet they probably do......  I know they have policies that stop USB execution and log failures as well as successes

 

Consumer Windows, you need to make a custom application to do that (or find one that has already been made). You would probably want to fine-tune that. Instead of logging EVERYTHING that executes and tries to make a running process, you could check for  a new socket, if the executable path does not match %HomeDrive%/, then log the executable and/or kill the process.

 

That would involve some deep level coding, like a Windows host-based firewall, but is totally 100% do-able. The same could be done, probably harder to  code and easier to deploy on Linux. You could not really do a script. I'd think it's need to be pretty low-level to catch every attempted starting process.

0

Share this post


Link to post
Share on other sites

Thanks! It looks as though it would take some custom coding/scripting, set up in advance on the target system? (newbie here, remember)

 

Is there any way for someone to come in after the fact - without setting up a "trapper" to catch target processes - and determine that a program was run from USB in the past?

0

Share this post


Link to post
Share on other sites

I think Windows actually might - Prefetch or Precache - or whatever it's called.  I think it caches the location of commonly used applications. You'd need to google it.

 

There is an application called PortReporter that will log socket connections and the executable location. Several apps similar to that. Are you sure Group Policies cannot do this?

 

 

Also, if the program generates and event log, it will probably log the application path as well. What use would it be to if we didn't know what the error was coming from or where? If there is Group Policy against USB execution, I'm sure it would log the path of the executable into Even Logs.

 

 

But - even logs and prefetch would be the two, off the top of my head... If it logs anything to Event Logs like errors, etc...

0

Share this post


Link to post
Share on other sites

Just to be clear, for my own purposes I'm not specifically interested in configuring the machine to catch this, but more in covering tracks - preventing future users/examiners from detecting it. However you've put out a lot of useful tips that anyone else who sees that subject line will appreciate.

0

Share this post


Link to post
Share on other sites

So... pre-fetch and Even Logs.

 

Windows populates the prefetch and writes to Event Logs. You don't.

 

Just thought I'd point that out.... 

 

 

Example: application generates a protection fault. Even is written to system logs with path to execatable by the Widows kernel.

 

Example 2: Windows notices application is loading slow, so puts it in prefetch:

 

 

  1. The prefetch folder is a subfolder of the Windows system folder. Theprefetch folder is self-maintaining, and there's no need to delete it or empty its contents. If you empty the folder, Windows and your programs will take longer to open the next time you turn on your computer.

 

I'd also check temp files as well. Some applications will write logs, etc... to temp folders.

0

Share this post


Link to post
Share on other sites

Thanks for all your help!

 

Cleaning out prefetch and temp is easy enough with CCleaner and CleanAfterMe. Clearing the event logs seems harder. I suppose I could rely on security through obscurity - there are lots of logs and lots of entries in each one, so without knowing exactly what to look for evidence might be hard to find. Still that seems chancy.

 

Is there any way to edit the event logs without leaving a log entry to show they were edited?

0

Share this post


Link to post
Share on other sites

There was an app called log zapper, or something that worked pre-windows 2000. However, it would not work on Server 2000, and never tried it in years. So I'm not sure if it's been updated... Not even sure of the name anymore.

 

The problem is the logs are in binary, and not text like a Linux/Unix logs. If you cleat the even logs, it will leave a timestamp of deletion in the logs. The best way I found was to open the binary log files directly in a hex editor. Then start randomly deleting shit....

 

It will leave them unreadable and corrupted. The usefulness varies depending on the sophistication of person looking at them: an average user would just think it was Windows acting up again. A somewhat skilled admin would look at time stamps and wonder, WTF? A seasoned security expert would know, but may not be able to reconstruct data. A national forensic lab would be able to reconstruct data easily...

 

 

Also, I believe event logs can be searched? I know there are some tools in MS Resource kits for working with event logs remotely, and other 3rd party tools. I'd really reading Hacking Windows Exposed. That is great book that covers all of this in much more detail than I can remember.

0

Share this post


Link to post
Share on other sites

for linux probably most other unices(not sure if thats right XD) should be very easy, theres logging programs and stuff

 

example http://superuser.com/questions/222912/how-can-i-log-all-process-launches-in-linux

 

edit: not sure about to do specifically only log processes from specific partitions or anything like that but, thru process of elimination should be easy to tell which process are of something not installed/that you know of.

Edited by dinscurge
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0