BITS Forensics

The Background Intelligent Transfer Service (BITS) is a technology developed by Microsoft in order to manage file uploads and downloads, to and from HTTP servers and SMB shares, in a more controlled and load balanced way. If the user starting the download were to log out the computer, or if a network connection is lost, BITS will resume the download automatically; the capability to survive reboots makes it an ideal tool for attackers to drop malicious files into an impacted Windows workstation, especially considering that Microsoft boxes do not have tools like wget or curl installed by default, and that web browsers (especially those in Corporate environments) may have filters and plugins preventing the download of bad files. In recent years, BITS has been increasingly used not only as a means to place malicious files into targets but also to exfiltrate data from compromised computers. This paper shows how BITS can be used for malicious purposes and examines the traces left by its usage in network traffic, hard disk and RAM. The purpose of this research is also to compare the eventual findings that can surface from each type of examination (network traffic examination, hard disk examination and RAM examination) and highlight the limitation of each analysis type.