This artifact enables disk analysis over an EFI System Partition (ESP).
The artifact queries the specified pysical disk, parses the partition table to targets the ESPs File Allocation Table (FAT).
The default artifact returns file information, and PE enrichment as typical EFI files are in the PE format.
We can looks for anomalities in EFI such as:
NOTE: default returns EFI files, rerun with TargetGlob=**/*
glob and
return all files.
name: Windows.Forensics.UEFI
author: Matt Green - @mgreen27
description: |
This artifact enables disk analysis over an EFI System Partition (ESP).
The artifact queries the specified pysical disk, parses the partition table
to targets the ESPs File Allocation Table (FAT).
The default artifact returns file information, and PE enrichment as typical EFI files are in the PE format.
We can looks for anomalities in EFI such as:
- unexpected time stamps outside install / OS updates
- unexpected paths (EFI/ is typically the root folder on this partition)
- unexpected metadata: signer non microsoft or known vendor (note we expect non trusted certificates here as the authenticode api does not service ESP binaries)
NOTE: default returns EFI files, rerun with ```TargetGlob=**/*``` glob and
return all files.
parameters:
- name: ImagePath
default: \\.\PhysicalDrive0
description: Raw Device for main disk containing partition table to parse.
- name: SectorSize
type: int
default: 512
- name: TargetGlob
default: "**/*.efi"
- name: DISABLE_DANGEROUS_API_CALLS
type: bool
description: |
Enable this to disable potentially flakey APIs which may cause
crashes.
sources:
- query: |
LET find_efi = SELECT StartOffset,EndOffset,
Size AS PartitionSize,
name AS PartitionName
FROM Artifact.Windows.Forensics.PartitionTable(
ImagePath=ImagePath, SectorSize=SectorSize)
WHERE PartitionName =~ "EFI"
LET find_files = SELECT * FROM foreach(row=find_efi,
query={
SELECT *,
StartOffset as PartitionOffset,
PartitionSize,
PartitionName
FROM glob(globs=TargetGlob,
accessor="fat",
root=pathspec(
DelegateAccessor="offset",
DelegatePath=pathspec(
DelegateAccessor="raw_file",
DelegatePath=ImagePath,
Path=format(format="%d", args=StartOffset))))
})
SELECT
dict(
ImagePath=ImagePath,
PartitionOffset=PartitionOffset,
PartitionSize=PartitionSize,
PartitionName=PartitionName
) as Partition,
OSPath.Path as OSPath,
Size, Mtime, Atime, Ctime, Btime,
Data.first_cluster as FirstCluster,
Data.attr AS Attr,
Data.deleted as IsDeleted,
Data.short_name AS ShortName,
hash(accessor='fat',path=OSPath) as Hash,
magic(accessor='fat',path=OSPath) as Magic,
parse_pe(accessor='fat',file=OSPath) as PEInfo,
authenticode(accessor='fat',filename=OSPath) as Authenticode
FROM find_files