如何使用Judge-Jury-and-Executable进行文件系统取证和威胁分析 – 作者:Alpha_h4ck

关于Judge-Jury-and-Executable

Judge-Jury-and-Executable是一款文件系统取证分析扫描和威胁捕捉工具。该工具能够在MFT和操作系统级别上进行文件系统扫描，并且还可以扫描存储在SQL、SQLite或CSV中的数据。除此之外，Judge-Jury-and-Executable还可以利用SQL的强大功能和语法来探测威胁和数据。

功能介绍

立即扫描已安装的文件系统以查找威胁。

或者在事件发生前收集系统基线，以获得额外的威胁搜寻能力，可在事件发生之前、期间或之后使用。

一对多工作站。

扫描MFT，绕过文件权限、文件锁定或操作系统文件保护/隐藏。

为每个文件收集多达51个不同的属性。

扫描结果进入SQL表，以便以后进行搜索，在许多扫描和/或许多机器上聚合结果，并进行历史或回顾性分析。

利用SQL的强大功能来搜索文件系统、查询文件属性、回答复杂或高级问题，以及寻找威胁或危害迹象。

工具要求

.NET Framework v4.8

带有读取/写入/创建访问权的本地或远程SQL数据库

Visual Studio

接入网络

SQL基础知识

高级数据分析

在MFT和取证级别的数据得到保护之后，将收集每个文件的操作系统级别属性、可用数据和元数据，并扩充MFT条目所创建的每个条目。因此，即使由于文件权限（ACL）、文件锁定（正在使用）、磁盘损坏、零字节长度文件或任何其他原因而无法访问操作系统API，工具仍将记录和跟踪该文件的存在。但是，条目将不包含操作系统无法访问的信息。每个文件最多可收集51个不同的数据点。

每份文件收集的信息

SHA256哈希

MD5哈希

导入表哈希

MFT号&序列号

MFT创建/修改/访问的数据

操作系统创建/修改/访问的数据

所有的标准操作系统文件属性：位置、大小、日期时间戳、属性、元数据

是否是PE或DLL或驱动器

认证代码是否已签名

是否验证了509证书链

自定义YARA规则

文件熵

样本数据行

固定查询样例

/*

IDEA: All files in the directory C:\Windows\System32\ should be 'owned' by TrustedInstaller.

If a file in the System32 directory is owned by a different user, this indicates an anomaly,

and that user is likely the user that created that file.

Malware likes to masquerade around as valid Windows system files.

Executables that are placed in the System32 directory not only look more official, as it is a common path for

system files, but an explicit path to that executable does not need to be supplied to execute it from the

command line, windows 'Run' dialog box of the start menu, or the win32 API call ShellExecute.

*/

 

SELECT

TOP 1000 *

FROM  [FileProperties]

WHERE

        [FileOwner] <> 'TrustedInstaller'

    AND [DirectoryLocation] = ':\Windows\System32'

    AND IsSigned = 0

ORDER BY [PrevalenceCount] DESC

 

 

/*

IDEA: The MFT creation timestamp and the OS creation timestamp should match.

If the MFT creation timestamp occurs after the creation time reported by the OS meta-data,

this indicates an anomaly.

Timestomp is a tool that is part of the Metasploit Framework that allows a user to backdate a file

to an arbitrary time of their choosing. There really isn't a good legitimate reason for doing this

(let me know if you can think of one), and is considered an anti-forensics technique.

*/

 

SELECT

TOP 1000 *

FROM  [FileProperties]

WHERE

([MftTimeAccessed] <> [LastAccessTime]) OR

([MftTimeCreation] <> [CreationTime]) OR

([MftTimeMftModified] <> [LastWriteTime])

ORDER BY [DateSeen] DESC

 

/*

IDEA: The 'CompileDate' property of any executable or dll should always come before the creation timestamp for that file.

Similar logic applies as for the MFT creation timestamp occuring after the creation timestamp. How could a program have been

compiled AFTER the file that holds it was created? This anomaly indicates backdating or timestomping has occurred.

*/

 

 

SELECT

TOP 1000 *

FROM  [FileProperties]

WHERE

([MftTimeCreation] < [CompileDate]) OR

([CreationTime] < [CompileDate])

ORDER BY [DateSeen] DESC

项目地址

Judge-Jury-and-Executable：【GitHub传送门】

来源：freebuf.com 2021-05-08 12:18:42 by: Alpha_h4ck