Circumventing NTFS-auditing using block level access

Hi experts.

Imagine someone is trying to keep track of the files that another administrator opens on a windows server by using NTFS auditing. File access is logged and of course log deletion gets logged, too.

Is it possible for an admin to circumvent logging by simply using a hex editor to open the whole drive and jump to a certain address and read out the file contents?
Let's say I know the filename and path and I know its content is plain text. Would I be successful in reading the content with winhex without NTFS auditing logging me?

I see problems in finding the file in winhex.
LVL 61
McKnifeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
If the OS is running, it will log, if it's not nothing is logged. That file/folder auditing has to be enabled at the file/folder level and in the event log settings.
I believe the Shadow Copy service can copy files and it might not log the copy of the file/directory in the event log the same way. You would see the Shadow copy service start/stop but not much more.
Someone can also use pwdump7's NTFS driver to bypass file/folder auditing. PWD7 has it's on ntfs driver it loads to make copies of files, files that may be locked even, and it does not show up in the audit. A virtual machine can be paused, and it's file/folder contents can be copied by the VM host with out the (guest) OS knowing.
If a file is being accessed while the OS is running, by winhex etc, it'd have to use some method outside (like it's own ntfs driver) to keep it hidden from the OS's auditing. Then again simply boot a machine with a boot CD, or remove the HDD and make a copy, copies don't touch the meta-data on the drive, so last accessed/last modified don't get changed when copies are made of a removed drive.
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeAuthor Commented:
Hi Rich.

While the info on other NTFS drivers is interesting, as well as the idea of using shadow copy clones, the main question is not touched: Winhex can load the whole drive c: (the drive as a whole), is it possible to find out and jump to the address of the plain text file (which we only know the path of) and read its contents?
I know about offline attacks, sure. I was just interested if something like winhex can be used.
0
Rich RumbleSecurity SamuraiCommented:
Great now I'm going to spend all day trying to bypass windows file/folder auditing with winhex and others :) I'll let you know how it goes.
-rich
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

McKnifeAuthor Commented:
There are surely better ways to spend your time. You have contributed two good ideas, so I already know that admins could circumvent online. If someone knows how to find a file's "hex-position", then he'll be welcome.
0
Rich RumbleSecurity SamuraiCommented:
I found another way around and I wasn't even trying :)
Winhex is not setting off the windows configured audits, but the Varonis client I'm running recognized it... I copied the entire folder structure, it didn't set off the (native)alerts. There are probably lot's of programs this applies too, I might do more research on this. Also this will help with my Varonis PoC :)

SandboxIE is another way around this, even when I was able to get sandboxIE to trigger something, it came across as explorer and not the program I was using.

Scanning the same folder using AV or other tools does set off the audits when outside SandboxIE. I'm going to try a few more experiments, but I'm guessing that winhex may use it's own driver. I'm going to monitor it with prodcump and see what I see.
-rich
0
McKnifeAuthor Commented:
Good work, but... question is: can winhex find that file?
0
Rich RumbleSecurity SamuraiCommented:
Yes, I can copy/read the files inside the directory I have auditing enabled on using Winhex, even the free version (if the file is under 200k) operates the same way., and the event log is clear when I use winhex to access that folder and or it's files. I will say that Varonis's 3rd party client is detecting the read from winhex and sandboxie, but not shadowcopy (maybe because it operates as the system?) I'm reading the offset's for files "as we speak" right now. I've not tried the command line, but the GUI isn't being detected, I've used the "everyone" group for my auditing of this folder.
I'm not sure if anything in 2012 improves the audit capabilities files/folders
http://technet.microsoft.com/en-us/library/hh849638.aspx
But right now I'm able to "hide" from windows in several ways, I'm sure there are more, or there is some limitation I can't find documented. I'm not seeing my nightly AV scan showing up (but a manual one does show) so one has to wonder... I'll let you know what else I find.
-rich
0
Rich RumbleSecurity SamuraiCommented:
There is an option in winhex to use the OS to access files, and that sets off the audit!
winhex security options(open files through operating system)
But otherwise it seems to avoid it, and the reason winhex does it that way is so that it doesn't mess with timestamps on files/folders. It's been said before, but using forensics tools are often the best way to accomplish anti-forensics :) The duality of security tools and all..
-rich
0
McKnifeAuthor Commented:
Thanks. Although I still haven't got how I would be able to bypass auditing and find a certain file in winhex, I am closing. The other possible ways are thankfully acknowledged, too.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.