For Forensics Sake What to do when IR Strikes By : Joe Gumke Joe - PowerPoint PPT Presentation

For Forensics Sake… What to do when IR Strikes By : Joe Gumke Joe Gumke Twitter : @joegumke

Presentation Overview 1. Incident Response Lifecycle 2. Forensic Artifacts 1. DISK & RAM 3. Demo

Incident Response Lifecycle 1.Preparation creating documentation, building tools, etc. • • Understanding of assets/software/environment 2.Identification moment victim becomes aware an attack has • occurred 3.Containment /Intel Development keeping further damage from occurring. • 4.Eradication/Remediation Remediating compromised hosts, removing • implants, etc. 5.Recovery restoring all business functions • 6.Lessons Learned How can we do better next time? •

NIST NIST SP 800-61 u

Importance of IR Timeline Documentation/Consistent Timeline Usage u SANS Timeline Documentation u SANS Incident Forms u

Artifacts Logic Format Who – Is causing this activity? u What – activity are we trying to identify ? u When – Did this artifact occur (timeline) ? u Where -- Is this located on the system ?(if applicable- OS dependent) u Why – Is this artifact important? u How – To use them (commercial/open source tools) u

Acquisition Types Memory Acquisition u u Software Logical Acquisition u Enterprise Acquisition u Physical Acquisition u u Write Blocker

Order of Volatility Order of Volatility of Digital Evidence CPU, cache and register content 1. Routing table, ARP cache, process table, kernel statistics 2. Memory 3. Temporary file system / swap space 4. Data on hard disk 5. Remotely logged data 6. Data contained on archival media 7.

Artifact Retrieval Tools Commercial Free/Open Source Encase Forensics Rekall Framework FTK Google Rapid Response Tanium Winrm / Powershell F-Response FTK Imager Lite

SIFT Workstation https://digital-forensics.sans.org/community/downloads u

RAM - Memory Processes u Network Connections u Open Files u Configuration/Command Line Parameters u Loaded DLLs u Open files and registry handles u Network information u Passwords and cryptographic keys u Unencrypted content u Hidden data and files u Malicious code u

RAM - Memory Tools To Acquire Tools To Analyze FTK Imager volatility Dumpit.exe > Moonsols Rekall framework Mandiant Memoryze Mandiant redline winpmem F-Response Caploader (packets)

RAM - Memory Mandiant Redline Volatility GUI Command Line Outdated Update To Date Ease of Identifying Indicators Harder to Spot Evil Volatility Usage : $ python vol.py [plugin] -f [image] --profile=[profile] Volatility Example : $ python vol.py pslist -f /path/to/memory.img --profile=Win7SP1x64

Virtual Machine RAM Vmware >> .vmem = raw memory u u Fusion: /users/<username>/Documents/VirtualMachines/ u Workstation: <Drive Letter>\XXX\My Virtual Machines\<VM Name> u ESX: <DatacenterName>\<DatastoreName>\<DirectoryName>\<VirtualMachineName> Microsoft Hyper-V >> .bin = memory image / .vsv = save state u u Location : <Drive Letter>\XXX\<VM Name>\Virtual Machines\GUID\ Parallels >> .mem == raw memory image u u Location : /Users/<username>/Documents/Parallels/<VM Name>/Snapshots/ VirtualBox >> .sav = partial memory image u u Location : .VirtualBox/Machines/<VM Name>/Snapshots/

Other Memory Objects Hibernation file : u u Compressed RAM Image u Location : %SYSTEMDRIVE%\hiberfil.sys Memory dumps u Complete/Kernel/Small/Automatic (Default) > Same as Kernel u Full crash dump will be complete copy of RAM u Location : %WINDIR%\MEMORY.DMP u Page/Swap Files u u %SYSTEMDRIVE%\pagefile.sys u %SYSTEMDRIVE%\swapfile.sys (win8+\2012+)

RAM - Memory Items Of Interest u u Suspicious Process Names u Suspicious Process Path u Suspicious Network Connections Rogue Processes: u u Incorrectly Named Image/Executable Name u Incorrect / Suspicious File Location u Suspicious Parent Process u Suspect Command Line and parameters used u Start Time Information Vs Boot Time u Security Identifiers (SIDs)

MFT – Master File Table NTFS u u Hidden file on the windows file system. u Will be created on the system until disk is reformatted u Location : \$MFT u Backup MFT called : $MftMirr > first four records of MFT u USRJournal > Records(in $Extend\$UsnJrnl) changes to files, streams, and directories on volume u Volume Shadow Copy > keeps historical versions of files and folders on NTFS volumes u LogFile > record metadata changes to the volume

MFT – Master File Table DISK Forensics u u AnalyzeMFT : https://github.com/dkovar/analyzeMFT Memory Forensics u u Volatility Plugin > mftparser u Example :

Windows Event Log Security – populates authentication events u System – Windows System components activity u Application – tied to applications that leverage windows api, otherwise look u for local application event logs Forwarded Logs (Subscription Logging) u Old Event ID (EVT) + 4096 = New Event ID (EVTX) u

Windows Event Log Disk Forensics u u Will Ballenthin EVTX Parser u Command line : wineventvwr.msc u Event Log Explorer u FTK Imager Lite to copy locked files u Psloglist (sysinternals) Memory Forensics u u Volatility Plugin : evtlogs (xp/2003 only) u Volatility Plugin : evtxlogs (vista+)

Registry Artifacts u Hives Contain Keys/Values u Location : C:\windows\system32\config\ u NTUSER.DST : $USERPROFILE\NTUSER.DAT u Keys = Folders u Values = data stored in keys NTUSER.DAT SAM SYSTEM SOFTWARE • User Activity • Profile Users • System Configuration • Analyze USB Devices Password Policies Time Zone Windows Version • • • Group Information Network Interfaces Install Date of Machine • • •

Registry Artifacts u NTUSER.DAT u UserAssist Keys u Displays a list of the programs run by a user on Windows u Location : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist u Didier Stevens Userassist u Shellbags u Based on structure of what you see when you view files via windows explorer u Tracks user window viewing preferences u TZWorks Shellbag Parser u MRU List Most Recently Used List from user u Regripper u u MUI Cache u Another Location to see if an executable has been run (doesn ’ t list the run time) u NIRSOFT MUICacheView

Registry Artifacts u DISK Forensics u Command line : regedit u Regripper u YARU (Yet another registry utility) u Memory Forensics u Volatility Plugin : dumpregistry

Registry Artifacts – Live Box FTK

SHIM Cache Application compatibility for windows u u Current versions of windows continually attempt to identify if application runs better on previous version of windows u Each version that runs on the windows system is a SHIM u Tracks compatibility issues u Records file path, size, last modified, last exec time (if supported by OS) u Located : Windows SYSTEM registry hive u (HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatibility\AppCompatCache HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache) u Mandiant ShimCacheParser

Prefetch Introduced in Win XP , designed to speed up the application startup process u Identifies when applications run u Prefetch file format : u u name of the executable u list of DLLs used by that executable u count of how many times the executable has been run u timestamp indicating the last time the program was run Prefetch Directory limited to 128 files u Win 7+ with SSD drives, not enabled by default u

Prefetch DISK Forensics u u LOCATION: C:\windows\prefetch u FileName Structure: <executable filename>-<prefetch hash>.pf u TZWORKS Prefetch Memory Forensics u u Volatility : PrefetchParser

RAM Items of Interest Volatility Screenshot u

RAM Items of Interest Volatility: iehistory u

RAM Items of Interest Volatility: mimikatz u Volatility: hashdump u Volatility: lsadump u

Home/DIY Logging Fun HP Arcsight Logger u Logrhythm Network Monitor Freemium u AlienVault OSSIM u Suricata IDS u ELK Stack u Bro network sensors u GrayLog u Apache Metron u

Links / Resources Forensic Artifacts u SANS Blog u Harlan Carvey u Didier Stevens u Forensics Wiki u Digital Evidence - Best Practices u SANS Memory Forensics Cheat Sheet u SANS Digital Forensics Cheat Sheet u

DEMO