Embed Size (px)
Citation preview
For Forensics Sake…What to do when IR
StrikesBy : Joe Gumke
Joe GumkeTwitter : @joegumke
Presentation Overview
1. Incident Response Lifecycle
2. Forensic Artifacts
1. DISK & RAM
3. Demo
Incident Response Lifecycle
1.Preparation• creating documentation, building tools, etc.• Understanding of
assets/software/environment2.Identification• moment victim becomes aware an attack has
occurred3.Containment /Intel Development • keeping further damage from occurring.4.Eradication/Remediation• Remediating compromised hosts, removing
implants, etc.5.Recovery• restoring all business functions6.Lessons Learned • How can we do better next time?
NIST
u NIST SP 800-61
Importance of IR Timeline
u Documentation/Consistent Timeline Usage
u SANS Timeline Documentation
u SANS Incident Forms
Artifacts Logic Format
u Who – Is causing this activity?
u What – activity are we trying to identify ?
u When – Did this artifact occur (timeline) ?
u Where -- Is this located on the system ?(if applicable- OS dependent)
u Why – Is this artifact important?
u How – To use them (commercial/open source tools)
Acquisition Types
u Memory Acquisition
u Software
u Logical Acquisition
u Enterprise Acquisition
u Physical Acquisition
u Write Blocker
Order of Volatility
Order of Volatility of Digital Evidence
1. CPU, cache and register content
2. Routing table, ARP cache, process table, kernel statistics
3. Memory
4. Temporary file system / swap space
5. Data on hard disk
6. Remotely logged data
7. Data contained on archival media
Artifact Retrieval Tools
Commercial Free/Open Source
Encase Forensics Rekall Framework
FTK Google Rapid Response
Tanium Winrm / Powershell
F-Response FTK Imager Lite
SIFT Workstationu https://digital-forensics.sans.org/community/downloads
RAM - Memory
u Processes
u Network Connections
u Open Files
u Configuration/Command Line Parameters
u Loaded DLLs
u Open files and registry handles
u Network information
u Passwords and cryptographic keys
u Unencrypted content
u Hidden data and files
u Malicious code
RAM - Memory
Tools To Acquire Tools To Analyze
FTK Imager volatility
Dumpit.exe > Moonsols Rekall framework
Mandiant Memoryze Mandiant redline
winpmem F-Response
Caploader (packets)
RAM - Memory
Mandiant Redline Volatility
GUI Command Line
Outdated Update To Date
Ease of Identifying Indicators Harder to Spot Evil
Volatility Usage : $ python vol.py [plugin] -f [image] --profile=[profile]
Volatility Example :$ python vol.py pslist -f /path/to/memory.img --profile=Win7SP1x64
Virtual Machine RAM
u Vmware >> .vmem = raw memory
u Fusion: /users/<username>/Documents/VirtualMachines/
u Workstation: <Drive Letter>\XXX\My Virtual Machines\<VM Name>
u ESX:<DatacenterName>\<DatastoreName>\<DirectoryName>\<VirtualMachineName>
u Microsoft Hyper-V >> .bin = memory image / .vsv = save state
u Location : <Drive Letter>\XXX\<VM Name>\Virtual Machines\GUID\
u Parallels >> .mem == raw memory image
u Location : /Users/<username>/Documents/Parallels/<VM Name>/Snapshots/
u VirtualBox >> .sav = partial memory image
u Location : .VirtualBox/Machines/<VM Name>/Snapshots/
Other Memory Objects
u Hibernation file :
u Compressed RAM Image
u Location : %SYSTEMDRIVE%\hiberfil.sys
u Memory dumps u Complete/Kernel/Small/Automatic (Default) > Same as Kernel
u Full crash dump will be complete copy of RAM
u Location : %WINDIR%\MEMORY.DMP
u Page/Swap Files
u %SYSTEMDRIVE%\pagefile.sys
u %SYSTEMDRIVE%\swapfile.sys (win8+\2012+)
RAM - Memoryu Items Of Interest
u Suspicious Process Names
u Suspicious Process Path
u Suspicious Network Connections
u Rogue Processes:
u Incorrectly Named Image/Executable Name
u Incorrect / Suspicious File Location
u Suspicious Parent Process
u Suspect Command Line and parameters used
u Start Time Information Vs Boot Time
u Security Identifiers (SIDs)
MFT – Master File Table
u NTFS
u Hidden file on the windows file system.
u Will be created on the system until disk is reformatted
u Location : \$MFT
u Backup MFT called : $MftMirr > first four records of MFT
u USRJournal > Records(in $Extend\$UsnJrnl) changes to files, streams, and directories on volume
u Volume Shadow Copy > keeps historical versions of files and folders on NTFS volumes
u LogFile > record metadata changes to the volume
MFT – Master File Table
u DISK Forensics
u AnalyzeMFT : https://github.com/dkovar/analyzeMFT
u Memory Forensics
u Volatility Plugin > mftparser
u Example :
Windows Event Logu Security – populates authentication events
u System – Windows System components activity
u Application – tied to applications that leverage windows api, otherwise look for local application event logs
u Forwarded Logs (Subscription Logging)
u Old Event ID (EVT) + 4096 = New Event ID (EVTX)
Windows Event Log
u Disk Forensics
u Will Ballenthin EVTX Parser
u Command line : wineventvwr.msc
u Event Log Explorer
u FTK Imager Lite to copy locked files
u Psloglist (sysinternals)
u Memory Forensics
u Volatility Plugin : evtlogs (xp/2003 only)
u Volatility Plugin : evtxlogs (vista+)
Registry Artifacts
u Hives Contain Keys/Valuesu Location : C:\windows\system32\config\
u NTUSER.DST : $USERPROFILE\NTUSER.DAT
u Keys = Folders
u Values = data stored in keys
NTUSER.DAT SAM SYSTEM SOFTWARE
• User Activity • Profile Users • Password Policies • Group Information
• System Configuration • Time Zone• Network Interfaces
• Analyze USB Devices• Windows Version• Install Date of Machine
Registry Artifactsu NTUSER.DAT
u UserAssist Keysu Displays a list of the programs run by a user on Windows
u Location : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
u Didier Stevens Userassist
u Shellbagsu Based on structure of what you see when you view files via windows explorer
u Tracks user window viewing preferences
u TZWorks Shellbag Parser
u MRU Listu Most Recently Used List from user
u Regripper
u MUI Cacheu Another Location to see if an executable has been run (doesn’t list the run time)
u NIRSOFT MUICacheView
Registry Artifactsu DISK Forensics
u Command line : regedit
u Regripper
u YARU (Yet another registry utility)
u Memory Forensics
u Volatility Plugin : dumpregistry
Registry Artifacts – Live Box FTK
SHIM Cache
u Application compatibility for windows
u Current versions of windows continually attempt to identify if application runs better on previous version of windows
u Each version that runs on the windows system is a SHIM
u Tracks compatibility issues
u Records file path, size, last modified, last exec time (if supported by OS)
u Located : Windows SYSTEM registry hive
u (HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCacheHKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache)
u Mandiant ShimCacheParser
Prefetchu Introduced in Win XP, designed to speed up the application startup process
u Identifies when applications run
u Prefetch file format :
u name of the executable
u list of DLLs used by that executable
u count of how many times the executable has been run
u timestamp indicating the last time the program was run
u Prefetch Directory limited to 128 files
u Win 7+ with SSD drives, not enabled by default
Prefetchu DISK Forensics
u LOCATION: C:\windows\prefetch
u FileName Structure: <executable filename>-<prefetch hash>.pf
u TZWORKS Prefetch
u Memory Forensics
u Volatility : PrefetchParser
RAM Items of Interestu Volatility Screenshot
RAM Items of Interestu Volatility: iehistory
RAM Items of Interestu Volatility: mimikatz
u Volatility: hashdump
u Volatility: lsadump
Home/DIY Logging Fun
u HP Arcsight Logger
u Logrhythm Network Monitor Freemium
u AlienVault OSSIM
u Suricata IDS
u ELK Stack
u Bro network sensors
u GrayLog
u Apache Metron
Links / Resources
u Forensic Artifacts
u SANS Blog
u Harlan Carvey
u Didier Stevens
u Forensics Wiki
u Digital Evidence - Best Practices
u SANS Memory Forensics Cheat Sheet
u SANS Digital Forensics Cheat Sheet
DEMO
