DFIR
Profile Identification
Detecting the correct profile is crucial for memory analysis. The locations of artifacts are different among OS's. Volatility uses the imageinfo command.
Preparation for Attack Scenarios
Estimate and prepare to address attack scenarios. Enumerate different attack scenarios. Test methodology. Develop procedures.
Top-Down Approach
Evaluate, manage, and execute business decisions made by high-level executives.
Listing DNS Cache
Even in private mode, Windows maintains a cache in Windows. ipconfig / displaydns displays the DNS cache in Windows. The records can help identify sites that were accessed in a non-monitored network
Importance of Methodology: Incident Uniqueness
Every incident is unique, and procedures may not cover every possibility.
CoC Process: Evidence Locker
Evidence belongs in a safe
Threat Information: Indicators-of-Compromise (IoC)
Evidence of specific attack
Additional Plugins
Evtlogs, Getsids, Iehistory, Modscan
Digital Forensics (DF)
Examining and analyzing artifacts after a cyberattack.
ADS Identification
Explorer does not display ADS, but CMD does. Use dir to display the contents of a folder. Dir /R displays the contents of a folder with an ADS (if it exists).
File Acquisition
File extraction is possible over the network, using dd. dd can copy files and partitions byte by byte. Using piping and input redirection, the data can be sent over the network.
Hex Editors
File headers can be viewed in any hex editor. Use the command xxd to instantly view the header. HxD is recommended for editing.
Metadata and EXIF
Files contain metadata hidden from the user. Metadata can include info regarding camera model and location. Tools like ExifTool can read that data and help the investigation
PhotoRec
Files deleted from a drive are not necessarily destroyed. They can often be recovered using special software. Tools like PhotoRec can parse drive images without accessing the file system.
Targeted Artifacts
Files on drive, Memory artifacts, Processes, Log files, Cached data
Browser Artifacts: Cache
Files, images, scripts, and other media-related data.
Backup Sites: A Hot Site
Is a backup site that's up and running continuously and ready for immediate switchover.
ZEEK
Is a framework used to parse, normalize, and correlate logs. It focuses on extracting security-related information from logs to detect anomalies. ZEEK was previously known as "Bro". ZEEK can read PCAP files and extract useful security-related fields from them.
Clonezilla
Is a live Linux distribution dedicated to cloning drives. Uses its own format to save images. It can clone more than 4 computers at the same time.
Threat Hunting
Is a proactive approach to handling cyber attacks. Its aim is to protect and organization from covert cyber threats. It is typically performed by Tier 3 SOC personnel. The average breach can go undetected for more than six months.
Threat Intelligence
Is based on "learning from other's mistakes". Forensics researchers can learn about new exploitation techniques from public sources. Threat intelligence involves much more than simply reading an article about a breach.
Autopsy
Is based on The Sleuth Kit. Autopsy automatically parses the MFT and shows ADS. Extract files by right-clicking and selecting Extract File(s).
FTK Imager
Is part of the FTK toolkit. The tool can be installed on the OS or executed from live media. Although the toolkit is commercial, the imaging software is free.
Drive Inspection Tools: Autospy: Open-Source
Is part of the sleuth kit collection of Python tools used for forensic investigations.
Containment Strategies: Segmentation
Isolate infected networks from uninfected networks (less granular than blacklist/whitelist)
Ransomware Incident: Containment
Isolate infected workstations.
FAT32 vs. NTFS: FAT32
Introduced in 1977. Supports storage devices with up to 2 TB. Supports files of up to 4 GB. Non-recoverable. Cannot compress files.
FAT32 vs. NTFS: NTFS
Introduced in 1993. Supports storage devices with up to 256 TB. Supports files up to 256 TB. Recoverable. Can compress files without user interaction.
Six Investigation Steps: Processes
Investigate rouge processes.
DF for Trojan Delivery
Involves malware analysis. Reveals actions the Trojan performed in the system
Eradication
Involves total removal of an intruder. First comes evidence gathering and containment. Examples: malware destruction, image recovery.
SDEE
Proprietary Cisco Protocol
Event IDs: 4720
Created by user
Drive Inspection Tools: EnCase: Proprietary
Includes many advanced features for image inspection
What is evidence?: In digital forensics
Log records, files, processes, etc.
Logon Type IDs: 11
Logon with Cached Credentials
Full Clone
A full clone is the closest option to having the actual drive, but only some of the data on a drive is useful for forensics.
Data Carving: Bulk Extractor
Attempts to recover files without using a file system structure
$DATA Attribute
$DATA contains the data content of a file. By default, a file's $DATA attribute is not assigned a name. The attribute has no minimum or maximum size limit. In NTFS, any file can have up to 1,024 different $DATA streams.
Event IDs: 1102
Audit log was cleared
SOC Model Criteria
1. 24x7x365 availability required?, 2. Employee morale, 3. Cost, 4. Expertise, 5. Turnover & burnout, 6. Decision points, 7. Private information & NDA, 8. Investment planning, 9. Tooling & correlation, 10. Training, practice, and exercises.
Jump Kit Items
1. A powerful laptop, 2. Packet sniffers, 3. Screwdrivers, flashlights, tweezers, etc., 4. USB drive with essential applications (read-only), 5. Blank media disk drive, 6. Network cables, 7. Network hub or tap, 8. Write-blocking device(s) and hard drives.
DFIR Process
1. Collect evidence 2. Examine collected data 3. Analyze important artifacts 4. Report the findings
IRP: Six stages
1. Preparation 2. identification 3. containment 4. Eradication 5. Recovery 6. Lessons learned
EC-Council Disaster Recovery Plan
1. Set clear recovery objectives, 2. Identify involved professionals, 3. Draft detailed network documentation, 4. Choose a data recovery technique, 5. Explicitly define an incident criteria checklist, 6. Document your entire disaster recovery procedure, 7. Regularly test your DRP, 8. Update your recovery plan continuously.
The dd Tool
A Linux CLI tool used to fully clone drives and partitions. Typically used via a live media drive.
Acquisition Tools: dd (Data Dump): Drive Acquistion
A Linux utility for managing and converting storage drives
PowerForensics
A PowerShell forensics framework. Works with FAT and NTFS. Can be launched from live systems. Depends mostly on master file table (MFT).
Query Builder: Log Parser Lizard
A built-in Microsoft Log Parser 2.2. User-friendly GUI with options to extract data from various types of logs.
Preservation
A critical part of any cyber investigation is the isolation and preservation of digital evidence in its original state. Preservation of evidence helps both the investigation and the legal process that may follow.
Extended File System
A family of file systems that includes Ext2, Ext3, and Ext4. Ext4 is the most common file system in Linux distributions. Ext4 includes many features, such as journaling, space allocation, and others.
Analysis Frameworks: Rekall
A framework developed by Google and an alternative to Volatility.
Browser Investigation Tools: BrowsingHistoryView
A free tool that can red history data from Internet Explorer, Firefox, Chrome, and Safari
IR Execution: Successful IR
A good plan will provide a response for any relevant issue.
Process Investigation
A key step in DFIR is investigating processes of infected systems. In Windows, this can be done using Sysinternals tools. The tools include a process explorer and process monitor
Logical Image
A logical image narrows the search field. Some evidence may be spread across multiple partitions.
Common Hiding Mechanisms: Services
A malware service can be added to the system.
Event IDs: 4732
A member was added to a local security-enabled local group.
Acquisition Tools: DunmpIt: Memory Acquisition
A memory acquisition tool often used in Windows-based systems
Google Analytics Cookies
A method of tracking site visits, user activity, and other elements. Include time stamps and visit counts.
LiME
A more stable tool for memory dumping is LiME. LiME also supports mobile devices. A python utility called LiMEaide enables remote memory dumping
Data Carving: PhotoRec
A powerful carving tool mainly focused on media files
Importance of Methodology: Methodology
A predefined method of performing an action.
AppCompatCache
A registry key used to track compatibility issues. Contains data about the file path, size, and modification. The registry key is: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache
Master File Table (MFT)
A special file in NTFS systems that contains metadata for each stored file. Changes dynamically when files are added or removed.
Frequency
A spike in data over time may be considered abnormal behavior. Data can be monitored by hour, week, month, and year.
Common Hiding Mechanisms: Scheduled Tasks
A task can be scheduled to run a malicious payload.
Browser Investigation Tools: Axiom
A tool that can carve deleted artifacts from image captures.
Event IDs: 4725
A user account was disabled.
Analysis Frameworks: Volatility
A widely used framework for memory analysis and investigation.
Governance Perspective: Standards
Acceptable level of quality
CoC Process: Acquisition
Acquire forensic evidence
CoC Process
Acquisition, CoC Form, Evidence Locker, Check in/out
/var/log/cron
Active Cron job data.
What is threat hunting?
Active defense. Proactively searching for threats. (All the time, Find undetected threats, Host and network, Tier 3 in SOC)
Acquisition Tools: FTK Imager: Drive and Memory Acquistion
Advanced forensic GUI-based program that enables multiple operations on images
Manual Log Review Limitations
Aggregate vs Distinct logs, Search through millions of logs, Hard to see the big picture.
OSFMount
Allows you to mount local dd image files in Windows. It reads the disk partition bit for bit. By default, image files are mounted as read-only. Supports disks that are mounted in RAM.
What is ADS?
Alternate Data Stream. Method of loading more than one data sector into a single file. Works only with NTFS. Typically used to hide files.
Data Carving: HxD
Although not carving software, it is commonly used to view raw data
Event IDs: 4625
An account failed to log on
Memory Interaction: Volshell
An advanced debug shell that interacts with memory.
Benefits of Live USB
An essential part of any forensics toolkit. Used for data acquisition and live forensics.
Indicators of Compromise
An important part of dealing with a threat is obtaining IOCs. IOCs help determine if an organization was harmed by a threat that was implemented. IOCs can also be used to distinguish false positives.
Live Forensics
Analysis of system artifacts while a computer is powered on. Memory Dump. Virtual storage drive imaging. The main purpose is to acquire volatile data that would otherwise be lost if the computer was turned off.
Detecting Partitions
Analysis typically begins by identifying the partitions. Get-ForensicsPartitionTable can detect partitions on a drive. Most images contain at least two partitions: system and boot.
DF Analysis Types: Dead Analysis
Analyzing powered-off computers. May include analysis of cloned drives.
DF Analysis Types: Live Analysis
Analyzing powered-on computers.
Manual MFT Extraction
Analyzing the MFT is necessary to obtain ADS. MFT analysis will show sorted entries on the partition. A DD raw image is required, but .E01 will also work.
What is evidence?: In court of law
Anything you saw, heard, or said, that proves something occurred
Prefetch Files
Applications executed in Windows create prefetch files. The files are used as cache for loading time optimizations. Even if a process is no longer active, the prefetch file may indicate previous executions.
Jump Lists
Artifacts that can indicate a user's interactions with the OS. Jump lists track files accessed by a user and list them in the Recent menu group. Can also be viewed in Explorer's Recent Items.
Hunting for Threats via CVEs
As part of Threat Hunting, a researcher may look for well known CVEs. A potential attack vector for a computer may be documented CVE.
NirSoft Launcher
As with a live USB, most forensic distro include additional tools. The tools can be executed without booting the distro. NirSoft Launcher is an example of a unified interface for such tools.
Multiple File Systems
At any given time, Linux hosts multiple file systems. Among them are tmpfs, squashfs, and others. The systems can be viewed using df-T.
Why attack logs?
Attackers do not want to get caught. Removing evidence from the target is crucial to remaining anonymous. Information in logs about passwords, hosts, and users can be used during an attack.
/var/log/secure /var/log/auth.log
Authentication and authorization privileges
What are Logs?
Automatically created to store records of events. Almost all apps and operating systems generate logs. Some applications and devices differentiate between various types of logs. Logs can be found according to their file names, or using GUI-based options.
Example of Evidence
Autoruns identifies possible startup locations. Startup programs can be evidence of persistent malware. The programs reside in known folders and registry keys.
CoC Process: CoC Form
Bag and tag it
Linux Log Commands: more
Basic terminal paging program that displays contents page by page
Logon Type IDs: 4
Batch
Containment Strategies: Blocklist/Allowlist Filtering
Block or allow a specific IP address range for network access.
Analysis Capabilities
Boot and Partitions, NTFS and EXT4, Windows Artifacts, Windows Registry, Application Cache
/var/log/boot.log
Boot message data
SANS Steps for Incident Response: Recovery
Bring infected production systems back online.
Browser Search History
Browsers save a user's search history. You can view the search history by clicking the search input line. You can disable auto-complete searches in the browser settings.
Creating ADS
By default, Explorer.exe can load only the default data of the file. Creating and loading data streams are done via CMD. To create an alternate stream, simply add :[stream] to a file's name.
Log Parser Lizard
The top pane is used for queries, the bottom pane displays the results. Charts can be used to discover trends in the logs.
CAINE Live
CAINE is a distribution that runs from a live USB. Its main feature is the ability to run entirely from RAM. It enables real-time forensic acquisition
Query Builder: Microsoft Log Parser 2.2
CLI interface used to parse and investigate logs via SQL.
Microsoft Log Parser 2.2
Can investigate Windows Event logs from files, or from the Event Viewer. Supports many log types, including IIS, CSV, XML, and EVT.
Image Mounting
Captured images can be mounted directly in Linux. The losetup command is used to create a loop device. Loop devices can be mounted the same way as other devices are.
Six Investigation Steps: DLL and Handles
Check DLLs used by various executables.
Six Investigation Steps: Code Injection
Check for malware traces in memory.
Six Investigation Steps: Rootkits
Check for signs of rootkits
Six Investigation Steps: Network
Check network activity and artifacts.
ThreatConnect IOCs
Checking information posted in ThreatConnect can provide details about potential breaches. ThreatConnect provides a list of discovered IOCs. It also provides a way to search for IOCs.
What is CIA?
Cornerstone of an organization's security infrastructure. Helps security practitioners with risk assessment and asset management. Serves as a tool or guide for securing information systems.
/proc/PID/cmdline
Command line arguments.
Hashing
Common identification method. Can prove the identity of specific files.
What is incident Response?
Confronting and managing a security breach or attack. Reducing damage and the cost of the recovery effort. (During an attack, Reduce further damage, Host and network, Tier 2 in SOC)
Timeline
Constructs a picture of all key logged events. Reveals the sequence of events. Mandatory in may forensic reports.
Virtual Drives
Contains RAW + VM data Different formats for different vendors. Space can be dynamically allocated. Can be split across files. A file within the file system
Virtual Memory
Contains RAW and VM data. Different formats for different vendors. The memory can be dynamically allocated. Can be captured by a hypervisor. An allocated area within the memory
Physical Drives
Contains RAW data No format, only bytes The drive has a constant size. A single unit of data A device with mechanical components.
Physical Memory
Contains RAW data. No format, only bytes The memory has a constant size. Requires tools for capture. A device with mechanical components.
MTF Attributes: Data
Contains the data section of the file
Event IDs: 4727
Creation of a security-enabled global group
Image Conversion
Crash dumps and hibernation files cannot be read as is. They require conversion via the imagecopy command.
Chain-of-Custody (CoC)
Critical process. Document actions pertaining to forensic evidence. The process is employed in any field in which forensic evidence must be presented in a court of law. Any action that involves forensic evidence must be documented, or the bad guys will not be punished.
Attack Scenarios: Web
Cross-site scripting
Preparing for an Incident
Create a jump kit with tools to handle an event. Use CD-ROMs or flash drives with RO switches. Build an investigation VM for malware analysis. Work with snapshots after initializing the system. These steps are mandatory for ongoing incident management.
Ransomware Incident: Lessons Learned
Create a report about the incident.
Ransomware Incident: Preparation
Create blacklists of ransomware file extensions. Back up organization data.
/proc/PID/cpu
Current and last cpu in which it was executed.
Threat Intelligence
Cybersecurity is a team effort. Information and threat intelligence must be shared. Knowledge must be shared. Information sharing and analysis organizations (ISAO) should be consulted
Containment Strategies: Black Holing Shunt
DDoS traffic from a malicious network is dropped
DF Scenario: Data Leak
DF can be used to prove data leak events. File carving can be used to identify if files existed on media devices, even after deletion. Hashing can be used to verify file identification.
Common Hiding Mechanisms: AppCert DLLs
DLLs that run in every process can be infected.
/var/log/kern.log
Data logged by the kernel.
Attack Scenarios: Attrition
Defenses are gradually worn down, brute-force attack.
SANS Steps for Incident Response: Preparation
Define critical security incidents. Perform risk assessment. Identify sensitive assets.
Pre-Analysis Notes
Define log analysis goals. Analyze logs to characterize the element that may be involved in an event. Use logs to choose appropriate tools for the investigation. Note that it is not recommended to search through a log line by line.
Should we sit and wait?
Delaying containment is not recommended. Be proactive and apply a containment strategy. Deception systems help containment and intelligence gathering. Apply containment as quickly as possible.
Event IDs: 4726
Deleted by user
Governance Perspective: Procedures
Describe each step required for specific tasks.
XFS
Designed to span multiple storage devices. Divides the file system into mapped blocks of data.
Anomaly Detection
Detecting events that did not previously occur in the system. Determining normal operation of users, per hour, to establish a baseline. There are proprietary systems that offer User Behavior Analytics (UBA) to monitor unusual events. Anomaly detection can trigger false positive alerts.
ThreatConnect
Different threat exchange platforms exists in the market. Their aim is to share information about newly discovered threats. ThreatConnect is an example of a platform that shares information regarding threats.
Coordination: Who do we talk to?: Public Affairs
Diplomatic communication with the public.
/proc/PID/fd
Directory that contains all file descriptors.
Containment Strategies: Host Isolation
Disconnect an infected system from the network
Threat Intelligence Process: Threat Intelligence
Distributed to and produced by ISAO
Deception Systems: Moving Target Defense
Diverts attacker resources to decoy systems.
Six Investigation Steps: Dump
Dump suspicious processes for in-depth analysis.
Proc Directory
Each process listed by ps or lsof is mapped in /proc/. Process directories are based on their PIDs. Each folder contains additional files required for the processes to run.
Containment Strategies: Email Filtering
Email filter controls updated with signatures/LoCs of phishing emails
Most Valuable Asset
Employees are the most valuable assets. Employee skills represent 85% of a company's asset values.
Bottom-up Approach
Employees share their ideas and market observations.
Event Viewer Log Filtering
Enables faster viewing of essential event information. Filters include date and time, event level, event ID, and more. It is also possible to filter by XML.
Deception Systems: Intelligence Gathering
Enables gathering of TTPs.
NTFS Specialties: Indexing
Enables quick access to files stored on devices.
Coordination: Who do we talk to?: Legal Support
Ensures legal & policy compliance
Coordination: Who do we talk to?: Information Assurance
Ensures security controls and policy enforcement.
Confidentiality
Ensures sensitive data is accessed only by authorized individuals.
/proc/PID/environ
Environment variable values.
Environmental Variables
Environmental variables are always saved for each process, and may indicate where a process was executed from.
Incident Responder Responsibilities
Establish an effective incident response plan (IRP) and maintain its effectiveness based on potential threats. Investigate current and past incidents to analyze them. Provide recommendations according to analyzed incident findings.
Coordination: Who do we talk to?: Management
Establishes response policy, budget, and staffing.
Network Forensics: NetworkMiner
Focuses more on artifact recovery than protocol analysis
DF Domains: Network Forensics
Focuses on gathering data about traffic passing through network equipment
DF Domains: Host Forensics
Focuses on gathering data regarding hosts, such as files or memory
What is EXIF?
Includes GPS coordinates, camera models, and the exact time a photo was taken. Can be used as evidence when an investigator recovers photos.
State Capture
For proper investigation, the affected state must be preserved. A capture enables handling a threat and investigating it at the same time. A state capture prevents the loss of evidence.
The Procedure in CoC is Crucial
Forensics experts are careful about details. It is important to acquire evidence prior to eradicating a malicious agent. Other professionals must be informed of what was done to the evidence via the CoC form.
Incident Analysis
Gather information, determine the incident's scope of impact, produce an initial report.
/var/log/messages
Global system messages
Availability
Guarantee of non-stop access to data.
Importance of Methodology: Procedures
Guidelines and instructions
Backup Sites: A Warm Site
Has servers and other resources for backup purposes but is not as ready for switchover as a hot site.
Browser Artifacts: History
Includes entered URLs and webpages marked as favorites
Hashing
Hashing can verify file integrity. Hashing both the capture source and the captured image can prove a file's authenticity. In a criminal investigation, hashes can be used in a court of law to provide evidence of integrity.
Attack Scenarios: Espionage
Hired employees may be selling company secrets.
Threat Information: Tactics, Techniques, Procedures (TTPs)
How an intruder attacks - specific tools, vulnerabilities, botnets, etc.
Known Threat Exchanges
IBM X-Force, OTX, CrowdStrike, Facebook
DFIR Timeline
IR planning should be done prior to an attack. The average time for an attack to be detected is 6 months. Digital Forensics relies on data collected during IR.
Coordination: Who do we talk to?: IT Support
IT Technical experts.
IR for Web Server Defacing
Identify if and how the defacing occurred. Restore the content of the original site from backup. In some cases, the owner may choose to skip DF and restore the site immediately without it.
DF for Web Server Defacing: Identifying Persistence
Identify if any backdoors remain
DF for Web Server Defacing: Intrusion Detection
Identify the intrusion point.
Connections Lookup
If a suspicious connection is found, its IP can be looked up. The IP can also be correlated to a PID.
SANS Steps for Incident Response: Containment
Implement short-term containment and network segment isolation. Shut down hacked servers.
Cloning a drive with FTK
In FTK Imager, the capture is done through an interactive wizard. The wizard prompts the user to choose the drive or partition to clone and the format. Typically, the raw (dd) format is used, and the image is fragmented.
Linux Forensics Methods
In Linux everything has file representation: memory, running processes, etc. Dead and live analysis are similar in many aspects. Most Linux-based data is not binary.
DDL List
In Windows, information can be obtained by inspecting DLLs. DLLs can indicate network activity or access to special system APIs. DLLs for specific processes can be viewed using Dlllist -p. Dlllist displays all DLLs loaded for a process in the system.
IR for Social Engineering
In phishing, SE refers to investigating the message and attached links. In real-world social engineering, the IR team can set up decoys.
Autopsy Features
Includes many tools to enhance the analysis of captured images. These tools include has lookup, file carving, metadata extraction, and others. The tools can extract important data and index data for faster queries.
Drive Inspection Tools: FTK: Proprietary
Includes tools for cloned drive inspection
Suspicious Behavior
Increased traffic, Accessed file types, Service inspection, Domain identification, Persistence.
Attack Scenarios: External Media
Information obtained via USB or external drive.
MTF Attributes: Standard Information
Information such as time stamps and link counts.
Intelligence Gathering: Threat Information
Information that helps understand how an attacker operates to improve protection.
Incident Detection: Precursor
Information that indicates an attack may be imminent.
Log Classification
Informational, Debug, Warning, Error, Alert.
Inode Structure
Inodes are the Linux equivalent of MFT. They map files to the system, without file names, and include timestamps.
Inodes
Inodes can be viewed using the ils and ffstat commands. By default, ils only displays deleted nodes. Inodes can be viewed more elaborately on live systems.
Coordination: Who do we talk to?: Human Resources
Insider threat situations, employees who violate policies.
Kernel Modules
Inspecting the kernel modules may reveal malicious activity. Kernel modules can be hidden, and require a more thorough investigation.
Processes
Instances of computer programs that are being executed. Contain program code and activity.
Intangible Assets
Intellectual property, patents, trademarks, etc.
Logon Type IDs: 2
Interactive login
Asset Definition
Item of value related to organizational objectives. Can be a computer or data. Assets have interrelated characteristics such as value, criticality, and their involvement in business objectives.
Journaling
Keeps track of changes not yet committed to the file system. Journaling can be done on an entire file or just its metadata. Was introduced in Ext3, and improved in Ext4.
Threat Hunting Process: Knowledge
Know your system, and your enemy.
Threat Hunting
Know your system. Know your enemy. Proactively search for system IoCs. Review logs and other data for evidence and IoCs. Share information
Threat Hunting Process
Knowledge, Search, Review, Report, Sharing.
Parental Structures
Legitimate processes have identifiable parent tree structures.
/proc/PID/cwd
Link to the current working directory.
/proc/PID/exe
Link to the process executable.
File System Debugging
Linux has a special utility to debug file systems called Debugfs. Debugfs can also be used to recover files.
Linux Memory: RAM
Linux uses RAM in a similar way to Windows. RAM can be investigated using volatility.
Static Binaries
Live CDs should be mounted as RO. Although the binaries are static, some may rely on other binaries to work. Busybox is also commonly used in such cases.
MTF Attributes: Attribute List
Location of additional attributes outside the MFT.
Linux Log Basics
Logs are different in CentOS/RedHat and Ubuntu/Debian. Almost all log files are located in the /var/log directory. To view or access the log files, you must have root permissions.
/var/log/dpkg.log /var/log/yum.log
Logs data when a package is installed or removed
Undetected Incidents: Log & Artifact Retention
Long log retention and 3rd party experts.
Common Hiding Mechanisms: Bootkit
MBR can be manipulated to load malware upon restart.
MMLS
MMLS is part of The Sleuth Kit. It displays the volume contents with start and end sectors. E01 images must be mounted first by running ewf_mount [image] [path]
Memory Dumping Tools
MWMT, FastDump, FTK Imager, WinPmem The primary difference among memory-capturing tools is the formats they support.
Suspicious Details
Malicious processes will often attempt to copy the names and PIDs of legitimate processes.
Common Hiding Mechanisms: Startup Folder
Malware can be hidden in a start up folder.
Persistence
Malware may use persistence techniques to preserve a foothold in a compromised computer. Persistence techniques may also constitute IOCs. Although many persistence techniques exist, malware developers typically stick to just a few. Since persistence is performed using high-level privileges, many types of malware launch Privilege Escalation attacks.
Attack Scenarios: Impersonation
Man-in-the-Middle, social engineering
Database
Many applications work with database vent logs.
Malware Forensics
Many types of malware have been developed. Each type behaves differently. Malware activity can be discovered by analyzing the behavior of a computer.
Decision Tree
Memory extraction is dependent on the system type. Memory dumping is different for bare-metal and virtual systems. For bare-metal, the acquisition depends on whether the system is on or off.
Decision Tree -Recap
Memory extraction is directly affected by the system's state. Memory dumping is different in bare-metal and virtual systems. For bare-metal, the acquisition depends on whether the system is on or off.
VM Metadata
Memory obtained from VMs will have additional metadata. In a virtual block, this data is saved in a structure called DBGFCOREDECRIPTOR. VMware metadata can be extracted using the vmwareinfo command.
How?
Method or procedure used to handle the evidence. (Example: disk image procedure)
SANS Steps for Incident Response: Identification
Monitor IT systems and detect deviations from normal operation.
Ransomware Incident: Identification
Monitor and look out for blacklisted extensions.
NTFS Specialties: Alternate Data Stream
More than one resource included in a single file.
Browser Search Terms
Most modern browsers successfully save search terms. Some search terms can be derived from URLs.
Hiding Files
Most operating systems only pay attention to the first header. Multiple files may be hidden by concatenating hex data. Saving each hex section will result in a complete file.
Attributes
NTFS uses attributes to save information regarding files. Attributes define data structures for raw bytes. Saved in files called $AttrDef
NIST
National Institute of Standards and Technology. Non-regulatory government agency that develops technology, metrics, and standards. Part of the U.S. Department of Commerce.
Network Data Extraction
Netstat can be used to obtain network information. Netstat can show open and established sockets. This is useful when attempting to identify backdoors.
Logon Type IDs: 3
Network
Logon Type IDs: 8
Network Clear text
SNMP
Network device management
Identifying New Tools
New exploitation tools are being developed every day. Threat Intelligence can help keep track of useful tools and their lists of IOCs. Being aware of possible dangers can improve detection and security preparation.
Undetected Incidents: Undetected Incidents
Not all incidents are obvious or detected.
Commercial Tools
Not many memory-acquisition tools exist in the market. You can use PCI devices, but there aren't many for memory capturing, and they are expensive.
Deleting Logs using the Event Viewer
Not useful, since logs are generated when logs are deleted. SIEM monitors this type of event.
Undetected Incidents: Vigilance
Notice anything out of the ordinary? Do we have the right tools to discover an incident?
Incident Detection: Automation & Orchestration
Obtaining a timeline from host and network-based tools.
Governance Perspective: Policies
Official statements that reflect the stance and direction of top-level management.
Clonezilla Capture Modes: Remote-Source
One of Clonezilla's most important features is that it can clone over the network.
Memory Analysis
One of the most important sources of information. An entire area of expertise. Extremely useful in malware analysis
Fmem Kernel Module
One way to create a memory dump, is to use the fmem kernel module. The kernel module creates /dev/fmem, which can be captured. Because the memory is dynamic, issues may arise when using dd.
Memory Inspection: Volatility Framework
Open-source collection of Python tools supported by both Linux and Windows
Memory Inspection: Rekall
Open-source framework for advanced forensic and incident response
Network Forensics: Wireshark: Static Analysis
Operates on data that was already captured.
Coordination: Who do we talk to?: Physical Security
Organization-wide drills regarding facilities
Disaster Recovery Plan (DRP)
Outlines response strategies for unplanned events. Helps minimize the effects of a disaster. Earthquakes, fires, floods, cyberattacks, and others. Determines which applications must remain operational.
Process Information
PID, Remote connections, File system modifications, Registry changes, DLL usage.
Windows Page File
Page files store data when the RAM is low on space. Although page files may contain useful data, they are not memory files. A page file is investigated by extracting strings.
Incident Response (IR)
Performing actions when a security breach occurs.
Attack Scenarios: Email
Phishing
Tangible Assets
Physical items such as company vehicles, buildings, hardware, software, etc.
Threat Information: Precursors
Point to a possible attack - vendor advisories, detection of vulnerability scanner, nd recon attempts.
Threat Information: Indicators
Point to a probable attack - malicious files reported in logs.
Incident Detection: Indicators
Pointers to an incident that may be underway.
Operation Modes: Mounted Drive
PowerForensics can be used on mounted drives and non-mounted physical drives.
ADS in PowerForensics
PowerForensics can detect alternate streams. If provided with a volume, it will list all files with an ADS. If provided with a path, it will list all the streams of the file.
Operation Modes: Live System
PowerForensics was initially developed as a forensic toolkit for live systems.
Irrecoverable Artifacts
PowerShell history, Prefetch, DNS cache, USB devices During reboot, some artifacts may be partially deleted.
Threat Intelligence Process: Threat Information
Precursors, IoC, TTPs
Prefetch Location
Prefetch files contain process activity cache. If not disabled, Windows stores prefetch files in C:\Windows\Prefetch The files contain metadata regarding the application.
Ransomware Incident
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
SANS Steps for Incident Response
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
SANS Steps for Incident Response: Lessons Learned
Prepare complete documentation of the incident.
Windows Event Viewer
Presents details of events (at the bottom of the window). Each event category has a unique ID. The details section displays events in XML format.
KDBG for System Profiling
Prior to analysis, the memory structure needs to be identified. Volatility uses the _KDDEBUGGER_DATA64 structure to detect the Windows version. Rekall uses global symbol information.
Prioritize Incidents
Prioritize by function, information sensitivity, and difficulty of recovery.
SANS
Private organization established in 1989. Offers research and education in the field of information security.
Threat Hunting Process: Search
Proactively seek evidence and IoCs
Process Investigation
Processes in Linux have file representations. Process files include metadata associated with the process. Processes are mapped in the /proc/directory. The /proc/directory uses tmpfs, meaning the files are saved in volatile memory.
Six Investigation Steps
Processes, DLL and Handles, Network, Code Injection, Rootkits, Dump
LEA
Proprietary Checkpoint Protocol
Forensic Image Formats: E01
Provides compression per file checksum and password protection
Non-Repudiation
Provides proof of the origin and integrity of data. Can be achieved with digital signatures or timestamps.
Process Acquisition
Ps is used in Linux to acquire process information. However, from a forensics perspective, lsof is better. Lsof lists are based on the files used by processes.
Pslist and Pstree
Pslist is a basic plugin used to view the process list. Pstree is more advanced and shows the process hierarchy as well. Alternatively, processes can be corelated using the PID and PPID values. Psxview can also be used to tell if a process is trying to hide.
Memory Dump Formats
RAW, Crush Dump, Hibernation, EWF, AFF4
Capture Formats
RAW, ISO, EWF, dd The capture format is based on the media from which it is captured.
Ransomware Incident: Eradication
Re-image the system's hard drive. Fix vulnerabilities.
Linux Log Commands: head
Reads the first 10 lines of a file.
Linux Log Commands: tail
Reads the last 10 lines of a file
File Carving
Reassembles files from fragments when no metadata is available. File carving can be used to recover partially overwritten files. Carving can sometimes detect poorly hidden files.
Governance Perspective: Guidelines
Recommendations or suggestions that are not necessarily mandatory
NTFS Specialties: Journaling
Recording storage device activity.
Common Hiding Mechanisms: Registry Keys
Regedit can be used to hide and launch programs automatically.
Recoverable Artifacts
Registry entries, File logs, Master file table, Browser history, USB devices
Logon Type IDs: 10
Remote interactive
SANS Steps for Incident Response: Eradication
Remove malware from infected systems. Identify and fix the root cause.
Deleting files from %system32%\winevt\logs
Requires high-level privileges. To execute this, the Event Log service must be disabled. Doesn't delete all recent logs.
IR for Trojan Delivery
Response depends on whether the Trojan was already executed. If executed, it focuses on containment and eradication
SOC Responsibilities
Responsible for the most critical IT systems in a company. Detect, analyze, and respond to cybersecurity incidents. Employ people with high-level skill in IT and cybersecurity.
RACI Table
Responsible, Accountable, Consulted, Informed. The table's main purpose is project management. Used to assign roles and responsibilities for each incident alert.
Ransomware Incident: Recovery
Restore the backup. Search online for a decryption key and decrypt the workstation files.
What is digital forensics?
Revealing and collecting all electronic data without modifying or contaminating it. Preserving evidence and reconstructing past pasts. (After attack, Find evidence, Host and network, Tier 3 in SOC)
Threat Hunting Process: Review
Review logs and data for IoCs
SIFT Workstation
SIFT is a virtual Debian appliance dedicated to DF. Developed by SANS, a leading cybersecurity training institution. Comes as a pre-packed OVA.
SOC Relationship with IR
SOC team isn't responsible for incident handling. During an incident, SOC detects the event and notifies the IR team.
Deleted Files
When a user deletes a file, it is not actually deleted. The file is marked as unallocated. The file will remain in the system until its sector is overwritten.
Cmdscan
Scans for a command line history buffer.
Sockets
Scans for all open sockets. Sockets displays only local open ports. It shows both TCP and UDP ports. Not all ports detected by Conscan will be displayed by sockets. Conscan and Sockets should be used as complementary plugins.
Consoles
Scans for available console information. Consoles is not generally used in Windows.
Connscan
Scans for identifiable TCP connections in older versions of Windows.
Linux Log Commands: grep
Searches for specific strings in files.
Logon Type IDs: 5
Service
Baseline
Sets a standard for normal behavior, for the purpose of comparison. Example: how many 'su' commands are used per hour, each day.
Threat Hunting Process: Sharing
Share threat information with the team
Linux Log Commands: less
Similar to the more command, but with search options.
Statistical Analysis Intro
Some events will not be noticed if they occur only once. When a malicious event occurs only once, it may appear to be a legitimate action. When malicious events occur in large volumes, it is much easier to detect them.
Fileless Malware
Some malware can run in memory without creating files in the system.
Hidden Processes
Some processes may attempt to hide their execution.
DLL Dump
Some DLLs loaded by processes can be dumped. DLLs should be dumped per process. A memory capture can contain thousands of DLLs.
Significance of Live Forensics
Some data may be lost when a computer is turned off. Over time, OS data may be overwritten. Some data may be encrypted when a system is shut down.
Registry Keys
Some registry keys can be extracted from memory. One of the most common keys to check is winlogon.
Customized Tools
Some tools can only be used for specific devices, such as DVRs. Some forensic tools are custom-made for dedicated parsing
File Dumping
Sometimes files are found in memory. Files in memory can be dumped using Dumpfiles. For Dumpfiles to work, the offset must first be found. Files loaded in memory are typically DLLs.
BTRFS
Space-efficient file system. Supports compression and snapshots.
Linux Forensic Acquisition
Static binaries are used for minimal footprint on the system. Binaries should be loaded from a live CD. In most cases, such Rescue CDs are custom made.
Attack Scenarios: Loss/Theft
Stolen laptop or mobile device.
PowerShell Logs
Store historical PowerShell commands. Two ways to view historical PowerShell records: Open PowerShell and click the "up" key; Open the file at the following location: %AppData%\Microsoft\Windows\PowerShell\PSReadLine. PowerShell history helps detect "fileless" attacks.
Why use Logs?
Store information that is not found elsewhere. Record useful information about certain events in the system. Logs can assist help the troubleshooting process when errors occur. Regarded as evidence in a court of law. Required for many GRCs. Included in an incident response investigation.
Browser Cache: Chrome
Stores cache in C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Profile 1\Cache
Browser Cache: Firefox
Stores cache that can be viewed by entering about:cache in the URL field
Cache
Stores images, cookies, etc. Harder to clear The format is different among browsers. May not disclose visited sites Not saved in private mode
Registry
Stores information in key-value format. The registry can help identify persistent threats that execute during boot. One of the keys is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
History
Stores only URLs. Easily cleared. The format is the same among browsers. Explicit indication of visited sites. Not saved in private mode
Forensic Image Formats: AFF
Stores the imaged disk as compressed segments for better saving and metadata of the image.
Event IDs: 4624
Successful logon
Threat Hunting Process: Report
Summarize findings
Boot Record Types: GPT
Supports up to 16 exabytes Supports up to 128 partitions
Boot Record Types: MBR
Supports up to four partitions per storage devices. Works only with storage devices of up to 2 TB.
Swap Digger
Swap Digger is Bash script that automates swap analysis. The script looks up passwords and URLs. Swap digger can operate on live systems and mounted captures.
Network Time Protocol
Syncs clocks across the network. Ensures a more accurate event timeline. Can operate locally, or over the internet.
Threat Information: Protection Profiles
Systems must work with anti-virus apps, patches, and security upgrades.
Threat Hunting vs. Threat Intelligence
TI: Involves obtaining threat-related information from various sources. The technique is used to improve the level of security in an organization. TH: Involves the discovery of seemingly undetectable breaches. The process investigates anomalies and suspicious activity. TH includes forensics, log parsing, and research.
Threat Intelligence Process: Team Review
Teams review threat information
DNS Cache
Temporary database maintained by the computer's OS. Contains records of recent visits to websites and other internet domains.
Linux Log Commands: awk
Text processing program for better log viewing
Containment: Scope & Strategy
The scope of the intrusion must be evaluated to apply an effective strategy.
Linux Memory: SWAP
The Linux equivalent to Page file. Can be a file or an entire partition. The swapon -s command can be used to check the location of the swap.
RunMRU
The Run prompt uses the Most Recently Used (MRU) utility. The registry key is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Features such as Find and Printers also use MRU.
JLS and JCAT
The Sleuth Kit provides tools to inspect the journal. JLS lists all the blocks, and JCAT prints information of a given block. The block data itself is usually unreadable, but may include file names.
ICAT
The second step is to extract the raw MFT from the partition. The ICAT tool will extract a raw and unparsed MFT. ICAT uses the sector's offset and length to obtain data.
Integrity
The certainty that data is trustworthy and accurate (unaltered).
Extracting the Executable
The executable for each process can be extracted using a cp. Extraction will work even if the executable was deleted.
AnalyzeMFT
The final step is to parse the raw MFT to a readable file. Use analyzeMFT.py to parse the raw table to a CSV file. analyzeMFT is preinstalled in the SIFT workstation.
Capturable Evidence: Hard Drive
The hard drive may contain file and log evidence.
What to Attack
The host in which logs are generated. Transmitted logs. Agents that collect logs. Database in which logs are stored. Log attacks are aimed at disrupting a service, or changing, deleting, and viewing log data.
Capturable Evidence: Memory
The memory is full of evidence, such as live processes
What is a file system?
The method computers use to manage the storage and retrieval of data. File systems isolate data on storage devices for easier and faster identification and access.
Memory Interaction: Plugins
The most common method is to analyze memory using Volatility
IR Execution: Following the steps
The plan should include various steps, such as containment and eradication.
Containment
The process of endeavoring to stop the spread of a cyber intrusion.
Browser Investigation
The purpose of a browser is to connect to the internet and facilitate a simple and friendly user experience. Browsers typically collect data about a user's searches and other activities. Most of the collected data can be retrieved by analyzing the browser's cache files.
Image Investigation
The traditional way to investigate an image is to open it in a dedicated software tool. An alternative method is to create a VM based on the image. If a drive is encrypted, the preferred method of investigation is to create a VM based on the image.
Process Dumping
This is an important technique in any investigation. Procdump allows dumping a process as an executable. The executable can then be further inspected and analyzed.
BrowserHistoryView
This lightweight tool helps cross-search browsing history. The tool is available from NirSoft. It does not display information such as cached credentials.
Clonezilla Capture Modes: Device-device
This option clones an entire drive or partition to another drive or partition
Clonezilla Capture Modes: Device-Image
This option creates an image capture from an actual drive.
Threat Hunting Cycles
Threat Hunting is often divided into separate categories. The hunt in each category will include different targets. A hunt cycle can be created to change the focus of the Threat Hunting process periodically.
Threat Intelligence Process
Threat Information, Team review, Synthesize & report, Threat intelligence
Intelligence Gathering: Threat Intelligence
Threat information that is processed and analyzed to devise more effective security measures. Threat intelligence is based on threat information and translates it into effective action.
Why do we need IR?
To contain threats and prevent them from spreading and causing additional damage. To help an organization recover after a breach occurs.
Identifying Suspicious Behavior
To identify malware activity, suspicious system behavior must be monitored continuously. Several tools can be used to monitor such behavior, including Wireshark and PowerShell.
Extraction over NC
To prevent writing to disk, data acquisition should be done over the network. Netcat is typically used to send and receive the data. On the compromised host, a static binary or nc (Netcat) is used.
DF for Social Engineering
Traces are usually emails, messages, and suspicious links. The evidence is typically collected from employees. Is followed by threat hunting to determine whether other employees were also affected
Tracking Breaches
Tracking CVEs is often not enough. More information must be gathered online. By sharing information about breach IOCs, a researcher can easily find potential attack vectors. The vectors can be used to compromise a network.
Accountability
Tracks user activities during an incident. Enforced through audits.
MTF Attributes: Index Root
Used to implement folders and other indexes.
Threat Intelligence Process: Synthesize & Report
Turn information into action
Maps and Descriptors
Two other useful commands are maps and fd. Maps lists all loaded libraries. Fd lists all file descriptors.
Windows Logs
Types: Application, Service, Security, System. Application and Service logs include many useful logs, such as PowerShell and Terminal Service. Can be used to troubleshoot BSOD errors. Can be used to investigate successful and failed logons.
Threat Information: Security Alerts
Typically sent by logs or SIEM
URL Identification
URLs represent network-related information not identified in memory. There is no available utility that can be used to scan for URLs. URLs can, however, be retrieved via Strings or Bulk Extractor.
USB Logs
USB connections do not create logs or files. They trigger special events in Event Viewer. UDB connection events can be viewed using USBDeview by NirSoft.
USB Devices
USB is an industry standard device connection, data transfer, and power supply. USB devices belong to one of several classes, including HID, storage, and others.
Linux Log Attacks
Unlike in Windows, manipulating log files is much easier in Linux. Must have sudo permission to modify logs. The following command modifies a log in UNIX-like system: sudo nano /var/log/messages
PowerForensics Scripting
Unlike regular browsing, PowerForensics lists files by parsing the MFT. It enables script-like functionality and smart searching.
Logon Type IDs: 7
Unlock
MTF Attributes: File Name
Up to 255 characters
Containment Strategies: Indicators of Compromise (IoC)
Use and implement patterns of known attacks to prevent attack propagation (e.g. IPS)
ADS Execution
Use the type command to read alternate data. You can execute data in an alternate stream. Execution does not depend on the main data's type.
Dumping Memory in FTK Imager
Use tools like FTK Imager and DumpIt to capture memory in a non-virtual system. The main benefit of FTK Imager is that it can capture the page file. Capture memory using FTK Imager via the RAM icon in the menu at the top.
Syslog
Used by Linux OS with TCP/UDP protocol on port 514.
Event Viewer
Used by Microsoft Windows.
DF Distributions: REMnux
Used mainly as a persistent forensics system for memory artifacts
DF Distributions: Computer Aided INvestigative Environment (CAINE)
Used mainly for acquisition and live forensics
Autopsy
Uses forensic tools from the Sleuth forensic toolkit. Each case to be examined in Autopsy is created separately. A case can include multiple captures.
Virtual Drive Formats
VHD, VMDK, VDI, VHDX
VMware Memory
VMware automatically creates a memory dump whenever a snapshot it taken. Memory files typically will be in .vmem, .vmsn, and .vmss formats. The .vmem files contain both the memory schema and metadata
Attack Scenarios: Improper Usage
Violation of acceptable usage policy, disciplinary action by HR
Memory Capture in VirtualBox
VirtualBox memory acquisition is more technical than other memory acquisitions. VirtualBox starts the VM in debug mode. The memory is captured in the debug console.
Image Splitting
Virtualization software splits a drive into multiple files. To perform an investigation, you will need all the files. Splitting is done to increase read and write speeds.
Malfind
Volatility includes the Malfind plugin that detects possible code injection. Malfind detects executable sections in memory.
Volatility
Volatility is a popular framework used for memory analysis and investigation. It includes various Python-based tools for memory artifact extraction. Google's Rekall rivals Volatility but currently is not as popular.
Third-Party Plugins
Volatility supports third-party plugins that can be used in more complex investigations. The plugins are helpful when analyzing sophisticated attacks. Hollowfind is a plugin used to detect process hallowing attacks.
MTF Attributes: Object ID
Volume-unique ID used by link-tracking services
What?
What evidence was being accessed? (Example: disk image)
Where?
What is the location at which the evidence was accessed?
Encrypted Systems
When loaded into memory, most information will be unencrypted.
Crash Dumps
When the Windows operating system crashes, it creates a memory dump. The size of the memory dump can be defined in the system settings. When the computer recovers, a memory.dmp file will appear in the %systemroot% directory
When?
When was the evidence accessed?
Backup Sites: A Cold Site
Which is the cheapest option, does not always have the necessary equipment to enable the resumption of normal operation.
Who?
Who handled the evidence?
MTF Attributes: Security Descriptor
Who owns the file
CoC Process: Check in/out
Who, What, Where, When, Why, How (5W1H)
Why?
Why was the evidence accessed? (Example: to make a copy)
WinPrefetchView
WinPrefetchView is a tool used to analyze prefetch files. The tool is freely available from NirSoft. It can determine the file's last execution and location.
FlareVM
Windows can be turned into a DF environment using the FlareVM script. The script installs and configures many MA and RE tools.
Hibernation
Windows hibernation files are compressed memory files. Use Volatility's imagecopy tool to convert hibernation files. Hibernation files are classified as system files and are hidden by default.
Legitimate Tree
Windows maintains an organized process hierarchy. Out-of-place processes are easily identifiable. For example, svchost.exe must be executed under servies.exe.
Coordination: Who do we talk to?: BCP/DR
Works closely and in parallel with IRT
Format Conversion
You can convert virtual drives from one format to another. Among such tools, qemu-img is used for this purpose. qemu-img supports many formats and versions.
Attribute Forensics
You can parse attributes in a file system using PowerForensics. The attributes list includes the mapping of data on the drive.
Files & Records
You can use PowerForensics to view files and file information. It can also detect special files, such as $MFT and $Volume.
ZEEK Logs
ZEEK can monitor traffic on its own, or investigate PCAP files. ZEEK outputs log files in a structured format, with predefined names. ZEEK can also be used online to parse small PCAP files.
Artifact Locations: Chrome Favorites
\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Bookmarks
Artifact Locations: Chrome Cookies
\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Cookies.db
Artifact Locations: Chrome URLs
\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\History
Artifact Locations: Firefox Cookies
\Users\[user]\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default\cookies.sqlite
Capture Tools
dd, Clonezilla, FTK Imager, Acronis, Falcon