© 2012

Presented by:

Sniper Forensics v3.0 Hunt

Christopher Pogue, CISSP, CEH, CREA, GFCA, QSA

Managing Consultant

SpiderLabs Incident Response and Digital Forensics

© 2012

Who Am I?

• Managing Consultant for the Trustwave SpiderLabs

• Master‟s degree in Information Security

• Author of “Unix and Linux Forensic Analysis” by Syngress

• Author of the award winning blog, “The Digital Standard”

• Chosen as a SANS “Thought Leader” in 2010

• Member of the USSS Electronic Crimes Task Force

• Speaker @ SANS DFIR `09, „10, `11, `12, The Computer Forensics Show

„09 and „10, Direct Response Forum „09, SecTor `09,`10,`11,`12 USSS

ECTF – Miami, Dallas, The Next HOPE „10, BSIDESLV „10, DEF CON 18 &

20, LM Connect `10, GFIRST `11, `12, SecureTech `11 and Career Day at

my kids school.

• Former US Army Signal Corps Warrant Officer

© 2012

Thank You Dan Christensen!

http://dcdrawings.blogspot.com/

© 2012

Thank You MAJ Carole Newell…I think…

Twitter handle: @cpbeefcake

© 2012

TheDigitalStandard.Blogspot.com

© 2012

Agenda • Recap – What is Sniper Forensics?

• The Evolution of Sniper Forensics

• What are the benefits of using Sniper Forensics?

• Testimonials

• Indicators of Compromise

• 1000 yard stare

• In the Cross Hairs

• Lethal Forensication

• Case Studies

• Conclusion

© 2012

The Evolution of: Sniper Forensics • The process of taking a targeted, deliberate

approach to

• forensic investigations:

– Create an investigation plan

– Apply sound logic

• Locard‟s Exchange Principle

• Occam‟s Razor

• The Alexiou Principle

– Extract what needs to be extracted, nothing more

– Allow the data to provide the answers

– Report on what was done

– Answer the questions

© 2012

Sniper Forensics V2.0: Target Acquisition

• What do I snipe? • Registry Hives

• SAM • Security • System • Software • NTUSER.DAT

• How do I actually DO that? • Manually via FTK using F-Response • Script it

• How do I interpret the data? • Infiltration • Aggregation • Exfiltration

© 2012

Sniper Forensics v3.0: Hunt • Identify Indicators of Compromise (IOC)

• 1000 yard stare

• In The Cross Hairs

• Lethal Forensication

• Endgame

© 2012

Benefits…Don‟t Take My Word For it! • “Sniper Forensics is the only methodology worth

using. That's something the monolithic driving imaging shops don't want to hear. It will beat them to them results and help to stop the bleeding faster every time. ”

•

- Nicholas J. Percoco

- Senior Vice President, Trustwave SpiderLabs

- @c7five

© 2012

Benefits…Don‟t Take My Word For it! • “Sniper Forensic rocks because it's foundations

lies in logic. Try it, you will thank us later! “

•

- Jibran Ilyas

- Senior Security Consultant, SpiderLabs DFIR Team

- @JibranIlyas

© 2012

Benefits…Don‟t Take My Word For it! • “Chris' Sniper Forensics Series teaches something

much more important than simple technical skills. It teaches the investigative process and how to keep your eye on the ball. Too many investigators, digital or otherwise, get bogged down and sidetracked with the massive quantities of information. Chris's methodology perfectly illustrates the methods investigators should be using to limit the scope of their engagements.”

• • - Larry "Lee" Sult • - Security Analyst, SpiderLabs DFIR Team

- CyberFrontSecurity.blogspot.com

© 2012

Benefits…Don‟t Take My Word For it! • “Look, digital forensics is getting more complicated not less complicated.

The old school forensics methodology does not work on mobile and embedded devices, and you‟re not going to image “the cloud”. Sniper Forensics is the embodiment of how forensic cases will be worked in the future. Know what you need to solve the case and go get it.”

- Grayson Lenik

- Security Consultant, SpiderLabs DFIR Team

- Author of the award winning blog, “EyeOnForenscis”

- @handlefree

© 2012

Benefits…Don‟t Take My Word For it! • “During a major breach, there is no plan B. Chris's

presentation on Sniper Forensics are the result from his time spent on the front lines in the field. If you are looking to equip your team with what they really need, Sniper Forensics details special ops TTPs that make a clear difference. “

- Rob Lee - Forensics Curriculum Lead, SANS Institute

- @RobtLee

* TTP = Tactics, Techniques, and Procedures

© 2012

Indicators of Compromise • What is different in the eyes of a hunter?

• They know what they are looking for

• Valuable past experience

• They know what it looks like when they found it

• They do not hesitate to pull the trigger

© 2012

Indicators of Compromise

© 2012

Indicators of Compromise

© 2012

Indicators of Compromise

© 2012

Indicators of Compromise

© 2012

Indicators of Compromise

© 2012

Indicators of Compromise • What do all of these images have in common?

• Hoof print

• Burned Wall

• Bullet

• Cake Ball

• Comic Book

© 2012

Indicators of Compromise • To the untrained eye, they seem like one of hundreds of thousands

images we see everyday. To the expert eye, they hold significant value.

• Hoof print Deer track

• Burned Wall Evidence of the use of a liquid fire accelerant

• Bullet .38 Caliber round

• Cake Ball Red Velvet cake ball with an almond bark exterior

• Comic Book Spiderman issue #1

© 2012

1000 Yard Stare • As practitioners of digital forensics, we are the expert

eyes of the cyber crime world

• Arguably the most difficult of all forensic disciplines

• Constantly changing and evolving data sample

• Very real, very proactive adversary, with extensive resources and time

• Thousands of hiding places

© 2012

1000 Yard Stare • Study the terrain

– What is “normal” • Research • Experience

• Study the target – Why is it a target? – What value does the target hold? – What weakness does the target possess?

• Study the enemy – Learn his behaviors

• Where does he operate? • How does he operate? • Why does he operate?

© 2012

In The Cross Hairs • All malware has specific components

• Propagation Mechanism

• Aggregation Mechanism

• Encoding (not encryption)

• Exfiltration

• Remote Access

© 2012

In The Cross Hairs • How do those components work?

• How would a memory dumper, dump memory? – Would it dump the entire contents of memory?

– Would it dump the memory from a specific process?

• How would a keylogger log keystrokes? – Would log the input from a specific device?

– Would it gather screenshots?

• How would a network sniffer operate? – What critical elements HAVE to be in place?

– How can you tell?

© 2012

Lethal Forensication • Indicators of Compromise

• All types of malware have to do three things:

• Live

• Run

• Generate output

• Once you identify what is being done and how, you can use that IOC on the current case, or future cases (ie…build a database of known IOCs).

© 2012

Lethal Forensication • Once you know what the enemy looks like, and

how he acts, it becomes exponentially easier to identify:

• The Likely Target

• The Likely means of Infiltration

• The Likely means of Aggregation

• The Likely means of Exfiltration

© 2012

Case Studies

What’s wrong with this picture?

• Two processes called, “OPS.exe”

• Which one is legitimate, and which is not?

• How can I tell?

• What can I logically conclude from this finding?

© 2012

Case Studies

What’s wrong with this picture?

• Two dlls called, “webcheck.dll”

• Which one is legitimate, and which is not?

• How can I tell?

• What can I logically conclude from this finding?

© 2012

Case Studies

What’s wrong with this picture?

• Is svchost.exe a legitimate binary name?

• Is there a problem with this one?

• How can I tell?

• What can I logically conclude from this

finding?

© 2012

Conclusion • To have the expert eyes of a hunter, you MUST:

• Put in the chair time

• What is normal

• What is abnormal

• Study your target

• Why are they likely a target

• What do they have that is worth stealing

• Study the enemy

• What are they doing

• How are they doing it

• What are the current trends

• Where can you foresee it going

© 2012

Final Thought

Is this merely a

laptop?

OR

Is it a investigation

tool in the hands of

an expert?

© 2012 © 2012

Questions?

cepogue@trustwave.com @cpbeefcake