For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe - - PowerPoint PPT Presentation

For Forensics Sake… What to do when IR Strikes

By : Joe Gumke Joe Gumke Twitter : @joegumke

Presentation Overview

• 1. Incident Response Lifecycle
• 2. Forensic Artifacts
• 1. DISK & RAM
• 3. Demo

Incident Response Lifecycle

1.Preparation

• creating documentation, building tools, etc.
• Understanding of

assets/software/environment 2.Identification

• moment victim becomes aware an attack has
• ccurred

3.Containment /Intel Development

• keeping further damage from occurring.

4.Eradication/Remediation

• Remediating compromised hosts, removing

implants, etc. 5.Recovery

• restoring all business functions

6.Lessons Learned

• How can we do better next time?

NIST

u

NIST SP 800-61

Importance of IR Timeline

u

Documentation/Consistent Timeline Usage

u

SANS Timeline Documentation

u

SANS Incident Forms

Artifacts Logic Format

u

Who – Is causing this activity?

u

What – activity are we trying to identify ?

u

When – Did this artifact occur (timeline) ?

u

Where -- Is this located on the system ?(if applicable- OS dependent)

u

Why – Is this artifact important?

u

How – To use them (commercial/open source tools)

Acquisition Types

u

Memory Acquisition

u Software

u

Logical Acquisition

u

Enterprise Acquisition

u

Physical Acquisition

u Write Blocker

Order of Volatility

Order of Volatility of Digital Evidence

1.

CPU, cache and register content

2.

Routing table, ARP cache, process table, kernel statistics

3.

Memory

4.

Temporary file system / swap space

5.

Data on hard disk

6.

Remotely logged data

7.

Data contained on archival media

Artifact Retrieval Tools

Commercial Free/Open Source Encase Forensics Rekall Framework FTK Google Rapid Response Tanium Winrm / Powershell F-Response FTK Imager Lite

SIFT Workstation

u

https://digital-forensics.sans.org/community/downloads

RAM - Memory

u

Processes

u

Network Connections

u

Open Files

u

Configuration/Command Line Parameters

u

Loaded DLLs

u

Open files and registry handles

u

Network information

u

Passwords and cryptographic keys

u

Unencrypted content

u

Hidden data and files

u

Malicious code

RAM - Memory

Tools To Acquire Tools To Analyze FTK Imager volatility Dumpit.exe > Moonsols Rekall framework Mandiant Memoryze Mandiant redline winpmem F-Response Caploader (packets)

RAM - Memory

Mandiant Redline Volatility GUI Command Line Outdated Update To Date Ease of Identifying Indicators Harder to Spot Evil Volatility Usage : $ python vol.py [plugin] -f [image] --profile=[profile] Volatility Example : $ python vol.py pslist -f /path/to/memory.img --profile=Win7SP1x64

Virtual Machine RAM

u

Vmware >> .vmem = raw memory

u Fusion: /users/<username>/Documents/VirtualMachines/ u Workstation: <Drive Letter>\XXX\My Virtual Machines\<VM Name> u ESX:<DatacenterName>\<DatastoreName>\<DirectoryName>\<VirtualMachineName>

u

Microsoft Hyper-V >> .bin = memory image / .vsv = save state

u Location : <Drive Letter>\XXX\<VM Name>\Virtual Machines\GUID\

u

Parallels >> .mem == raw memory image

u Location : /Users/<username>/Documents/Parallels/<VM Name>/Snapshots/

u

VirtualBox >> .sav = partial memory image

u Location : .VirtualBox/Machines/<VM Name>/Snapshots/

Other Memory Objects

u

Hibernation file :

u Compressed RAM Image u Location : %SYSTEMDRIVE%\hiberfil.sys

u

Memory dumps

u

Complete/Kernel/Small/Automatic (Default) > Same as Kernel

u

Full crash dump will be complete copy of RAM

u

Location : %WINDIR%\MEMORY.DMP u

Page/Swap Files

u %SYSTEMDRIVE%\pagefile.sys u %SYSTEMDRIVE%\swapfile.sys (win8+\2012+)

RAM - Memory

u

Items Of Interest

u Suspicious Process Names u Suspicious Process Path u Suspicious Network Connections

u

Rogue Processes:

u Incorrectly Named Image/Executable Name u Incorrect / Suspicious File Location u Suspicious Parent Process u Suspect Command Line and parameters used u Start Time Information Vs Boot Time u Security Identifiers (SIDs)

MFT – Master File Table

u

NTFS

u Hidden file on the windows file system. u Will be created on the system until disk is reformatted u Location : \$MFT u Backup MFT called : $MftMirr > first four records of MFT u USRJournal > Records(in $Extend\$UsnJrnl) changes to files, streams, and directories on volume u Volume Shadow Copy > keeps historical versions of files and folders on NTFS volumes u LogFile > record metadata changes to the volume

MFT – Master File Table

u

DISK Forensics

u AnalyzeMFT : https://github.com/dkovar/analyzeMFT

u

Memory Forensics

u Volatility Plugin > mftparser u Example :

Windows Event Log

u

Security – populates authentication events

u

System – Windows System components activity

u

Application – tied to applications that leverage windows api, otherwise look for local application event logs

u

Forwarded Logs (Subscription Logging)

u

Old Event ID (EVT) + 4096 = New Event ID (EVTX)

Windows Event Log

u

Disk Forensics

u Will Ballenthin EVTX Parser u Command line : wineventvwr.msc u Event Log Explorer u FTK Imager Lite to copy locked files u Psloglist (sysinternals)

u

Memory Forensics

u Volatility Plugin : evtlogs (xp/2003 only) u Volatility Plugin : evtxlogs (vista+)

Registry Artifacts

u Hives Contain Keys/Values

u Location : C:\windows\system32\config\ u NTUSER.DST : $USERPROFILE\NTUSER.DAT u Keys = Folders u Values = data stored in keys

NTUSER.DAT SAM SYSTEM SOFTWARE

• User Activity
• Profile Users
• Password Policies
• Group Information
• System Configuration
• Time Zone
• Network Interfaces
• Analyze USB Devices
• Windows Version
• Install Date of Machine

Registry Artifacts

u NTUSER.DAT

u UserAssist Keys

u Displays a list of the programs run by a user on Windows u Location : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist u Didier Stevens Userassist

u Shellbags

u Based on structure of what you see when you view files via windows explorer u Tracks user window viewing preferences u TZWorks Shellbag Parser

u MRU List

u

Most Recently Used List from user

u

Regripper

u MUI Cache

u Another Location to see if an executable has been run (doesn’t list the run time) u NIRSOFT MUICacheView

Registry Artifacts

u DISK Forensics

u Command line : regedit u Regripper u YARU (Yet another registry utility)

u Memory Forensics

u Volatility Plugin : dumpregistry

Registry Artifacts – Live Box FTK

SHIM Cache

u

Application compatibility for windows

u Current versions of windows continually attempt to identify if application runs better on previous

version of windows

u Each version that runs on the windows system is a SHIM u Tracks compatibility issues u Records file path, size, last modified, last exec time (if supported by OS) u Located : Windows SYSTEM registry hive u (HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCache

HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache)

u Mandiant ShimCacheParser

Prefetch

u

Introduced in Win XP , designed to speed up the application startup process

u

Identifies when applications run

u

Prefetch file format :

u name of the executable u list of DLLs used by that executable u count of how many times the executable has been run u timestamp indicating the last time the program was run

u

Prefetch Directory limited to 128 files

u

Win 7+ with SSD drives, not enabled by default

Prefetch

u

DISK Forensics

u LOCATION: C:\windows\prefetch u FileName Structure: <executable filename>-<prefetch hash>.pf u TZWORKS Prefetch

u

Memory Forensics

u Volatility : PrefetchParser

RAM Items of Interest

u

Volatility Screenshot

RAM Items of Interest

u

Volatility: iehistory

RAM Items of Interest

u

Volatility: mimikatz

u

Volatility: hashdump

u

Volatility: lsadump

Home/DIY Logging Fun

u

HP Arcsight Logger

u

Logrhythm Network Monitor Freemium

u

AlienVault OSSIM

u

Suricata IDS

u

ELK Stack

u

Bro network sensors

u

GrayLog

u

Apache Metron

Links / Resources

u

Forensic Artifacts

u

SANS Blog

u

Harlan Carvey

u

Didier Stevens

u

Forensics Wiki

u

Digital Evidence - Best Practices

u

SANS Memory Forensics Cheat Sheet

u

SANS Digital Forensics Cheat Sheet

DEMO