DFIR

Profile Identification

Detecting the correct profile is crucial for memory analysis. The locations of artifacts are different among OS's. Volatility uses the imageinfo command.

Preparation for Attack Scenarios

Estimate and prepare to address attack scenarios. Enumerate different attack scenarios. Test methodology. Develop procedures.

Top-Down Approach

Evaluate, manage, and execute business decisions made by high-level executives.

Listing DNS Cache

Even in private mode, Windows maintains a cache in Windows. ipconfig / displaydns displays the DNS cache in Windows. The records can help identify sites that were accessed in a non-monitored network

Importance of Methodology: Incident Uniqueness

Every incident is unique, and procedures may not cover every possibility.

CoC Process: Evidence Locker

Evidence belongs in a safe

Threat Information: Indicators-of-Compromise (IoC)

Evidence of specific attack

Additional Plugins

Evtlogs, Getsids, Iehistory, Modscan

Digital Forensics (DF)

Examining and analyzing artifacts after a cyberattack.

ADS Identification

Explorer does not display ADS, but CMD does. Use dir to display the contents of a folder. Dir /R displays the contents of a folder with an ADS (if it exists).

File Acquisition

File extraction is possible over the network, using dd. dd can copy files and partitions byte by byte. Using piping and input redirection, the data can be sent over the network.

Hex Editors

File headers can be viewed in any hex editor. Use the command xxd to instantly view the header. HxD is recommended for editing.

Metadata and EXIF

Files contain metadata hidden from the user. Metadata can include info regarding camera model and location. Tools like ExifTool can read that data and help the investigation

PhotoRec

Files deleted from a drive are not necessarily destroyed. They can often be recovered using special software. Tools like PhotoRec can parse drive images without accessing the file system.

Targeted Artifacts

Files on drive, Memory artifacts, Processes, Log files, Cached data

Browser Artifacts: Cache

Files, images, scripts, and other media-related data.

Backup Sites: A Hot Site

Is a backup site that's up and running continuously and ready for immediate switchover.

ZEEK

Is a framework used to parse, normalize, and correlate logs. It focuses on extracting security-related information from logs to detect anomalies. ZEEK was previously known as "Bro". ZEEK can read PCAP files and extract useful security-related fields from them.

Clonezilla

Is a live Linux distribution dedicated to cloning drives. Uses its own format to save images. It can clone more than 4 computers at the same time.

Threat Hunting

Is a proactive approach to handling cyber attacks. Its aim is to protect and organization from covert cyber threats. It is typically performed by Tier 3 SOC personnel. The average breach can go undetected for more than six months.

Threat Intelligence

Is based on "learning from other's mistakes". Forensics researchers can learn about new exploitation techniques from public sources. Threat intelligence involves much more than simply reading an article about a breach.

Autopsy

Is based on The Sleuth Kit. Autopsy automatically parses the MFT and shows ADS. Extract files by right-clicking and selecting Extract File(s).

FTK Imager

Is part of the FTK toolkit. The tool can be installed on the OS or executed from live media. Although the toolkit is commercial, the imaging software is free.

Drive Inspection Tools: Autospy: Open-Source

Is part of the sleuth kit collection of Python tools used for forensic investigations.

Containment Strategies: Segmentation

Isolate infected networks from uninfected networks (less granular than blacklist/whitelist)

Ransomware Incident: Containment

Isolate infected workstations.

FAT32 vs. NTFS: FAT32

Introduced in 1977. Supports storage devices with up to 2 TB. Supports files of up to 4 GB. Non-recoverable. Cannot compress files.

FAT32 vs. NTFS: NTFS

Introduced in 1993. Supports storage devices with up to 256 TB. Supports files up to 256 TB. Recoverable. Can compress files without user interaction.

Six Investigation Steps: Processes

Investigate rouge processes.

DF for Trojan Delivery

Involves malware analysis. Reveals actions the Trojan performed in the system

Eradication

Involves total removal of an intruder. First comes evidence gathering and containment. Examples: malware destruction, image recovery.

SDEE

Proprietary Cisco Protocol

Event IDs: 4720

Created by user

Drive Inspection Tools: EnCase: Proprietary

Includes many advanced features for image inspection

What is evidence?: In digital forensics

Log records, files, processes, etc.

Logon Type IDs: 11

Logon with Cached Credentials

Full Clone

A full clone is the closest option to having the actual drive, but only some of the data on a drive is useful for forensics.

Data Carving: Bulk Extractor

Attempts to recover files without using a file system structure

$DATA Attribute

$DATA contains the data content of a file. By default, a file's $DATA attribute is not assigned a name. The attribute has no minimum or maximum size limit. In NTFS, any file can have up to 1,024 different $DATA streams.

Event IDs: 1102

Audit log was cleared

SOC Model Criteria

1. 24x7x365 availability required?, 2. Employee morale, 3. Cost, 4. Expertise, 5. Turnover & burnout, 6. Decision points, 7. Private information & NDA, 8. Investment planning, 9. Tooling & correlation, 10. Training, practice, and exercises.

Jump Kit Items

1. A powerful laptop, 2. Packet sniffers, 3. Screwdrivers, flashlights, tweezers, etc., 4. USB drive with essential applications (read-only), 5. Blank media disk drive, 6. Network cables, 7. Network hub or tap, 8. Write-blocking device(s) and hard drives.

DFIR Process

1. Collect evidence 2. Examine collected data 3. Analyze important artifacts 4. Report the findings

IRP: Six stages

1. Preparation 2. identification 3. containment 4. Eradication 5. Recovery 6. Lessons learned

EC-Council Disaster Recovery Plan

1. Set clear recovery objectives, 2. Identify involved professionals, 3. Draft detailed network documentation, 4. Choose a data recovery technique, 5. Explicitly define an incident criteria checklist, 6. Document your entire disaster recovery procedure, 7. Regularly test your DRP, 8. Update your recovery plan continuously.

The dd Tool

A Linux CLI tool used to fully clone drives and partitions. Typically used via a live media drive.

Acquisition Tools: dd (Data Dump): Drive Acquistion

A Linux utility for managing and converting storage drives

PowerForensics

A PowerShell forensics framework. Works with FAT and NTFS. Can be launched from live systems. Depends mostly on master file table (MFT).

Query Builder: Log Parser Lizard

A built-in Microsoft Log Parser 2.2. User-friendly GUI with options to extract data from various types of logs.

Preservation

A critical part of any cyber investigation is the isolation and preservation of digital evidence in its original state. Preservation of evidence helps both the investigation and the legal process that may follow.

Extended File System

A family of file systems that includes Ext2, Ext3, and Ext4. Ext4 is the most common file system in Linux distributions. Ext4 includes many features, such as journaling, space allocation, and others.

Analysis Frameworks: Rekall

A framework developed by Google and an alternative to Volatility.

Browser Investigation Tools: BrowsingHistoryView

A free tool that can red history data from Internet Explorer, Firefox, Chrome, and Safari

IR Execution: Successful IR

A good plan will provide a response for any relevant issue.

Process Investigation

A key step in DFIR is investigating processes of infected systems. In Windows, this can be done using Sysinternals tools. The tools include a process explorer and process monitor

Logical Image

A logical image narrows the search field. Some evidence may be spread across multiple partitions.

Common Hiding Mechanisms: Services

A malware service can be added to the system.

Event IDs: 4732

A member was added to a local security-enabled local group.

Acquisition Tools: DunmpIt: Memory Acquisition

A memory acquisition tool often used in Windows-based systems

Google Analytics Cookies

A method of tracking site visits, user activity, and other elements. Include time stamps and visit counts.

LiME

A more stable tool for memory dumping is LiME. LiME also supports mobile devices. A python utility called LiMEaide enables remote memory dumping

Data Carving: PhotoRec

A powerful carving tool mainly focused on media files

Importance of Methodology: Methodology

A predefined method of performing an action.

AppCompatCache

A registry key used to track compatibility issues. Contains data about the file path, size, and modification. The registry key is: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache

Master File Table (MFT)

A special file in NTFS systems that contains metadata for each stored file. Changes dynamically when files are added or removed.

Frequency

A spike in data over time may be considered abnormal behavior. Data can be monitored by hour, week, month, and year.

Common Hiding Mechanisms: Scheduled Tasks

A task can be scheduled to run a malicious payload.

Browser Investigation Tools: Axiom

A tool that can carve deleted artifacts from image captures.

Event IDs: 4725

A user account was disabled.

Analysis Frameworks: Volatility

A widely used framework for memory analysis and investigation.

Governance Perspective: Standards

Acceptable level of quality

CoC Process: Acquisition

Acquire forensic evidence

CoC Process

Acquisition, CoC Form, Evidence Locker, Check in/out

/var/log/cron

Active Cron job data.

What is threat hunting?

Active defense. Proactively searching for threats. (All the time, Find undetected threats, Host and network, Tier 3 in SOC)

Acquisition Tools: FTK Imager: Drive and Memory Acquistion

Advanced forensic GUI-based program that enables multiple operations on images

Manual Log Review Limitations

Aggregate vs Distinct logs, Search through millions of logs, Hard to see the big picture.

OSFMount

Allows you to mount local dd image files in Windows. It reads the disk partition bit for bit. By default, image files are mounted as read-only. Supports disks that are mounted in RAM.

What is ADS?

Alternate Data Stream. Method of loading more than one data sector into a single file. Works only with NTFS. Typically used to hide files.

Data Carving: HxD

Although not carving software, it is commonly used to view raw data

Event IDs: 4625

An account failed to log on

Memory Interaction: Volshell

An advanced debug shell that interacts with memory.

Benefits of Live USB

An essential part of any forensics toolkit. Used for data acquisition and live forensics.

Indicators of Compromise

An important part of dealing with a threat is obtaining IOCs. IOCs help determine if an organization was harmed by a threat that was implemented. IOCs can also be used to distinguish false positives.

Live Forensics

Analysis of system artifacts while a computer is powered on. Memory Dump. Virtual storage drive imaging. The main purpose is to acquire volatile data that would otherwise be lost if the computer was turned off.

Detecting Partitions

Analysis typically begins by identifying the partitions. Get-ForensicsPartitionTable can detect partitions on a drive. Most images contain at least two partitions: system and boot.

DF Analysis Types: Dead Analysis

Analyzing powered-off computers. May include analysis of cloned drives.

DF Analysis Types: Live Analysis

Analyzing powered-on computers.

Manual MFT Extraction

Analyzing the MFT is necessary to obtain ADS. MFT analysis will show sorted entries on the partition. A DD raw image is required, but .E01 will also work.

What is evidence?: In court of law

Anything you saw, heard, or said, that proves something occurred

Prefetch Files

Applications executed in Windows create prefetch files. The files are used as cache for loading time optimizations. Even if a process is no longer active, the prefetch file may indicate previous executions.

Jump Lists

Artifacts that can indicate a user's interactions with the OS. Jump lists track files accessed by a user and list them in the Recent menu group. Can also be viewed in Explorer's Recent Items.

Hunting for Threats via CVEs

As part of Threat Hunting, a researcher may look for well known CVEs. A potential attack vector for a computer may be documented CVE.

NirSoft Launcher

As with a live USB, most forensic distro include additional tools. The tools can be executed without booting the distro. NirSoft Launcher is an example of a unified interface for such tools.

Multiple File Systems

At any given time, Linux hosts multiple file systems. Among them are tmpfs, squashfs, and others. The systems can be viewed using df-T.

Why attack logs?

Attackers do not want to get caught. Removing evidence from the target is crucial to remaining anonymous. Information in logs about passwords, hosts, and users can be used during an attack.

/var/log/secure /var/log/auth.log

Authentication and authorization privileges

What are Logs?

Automatically created to store records of events. Almost all apps and operating systems generate logs. Some applications and devices differentiate between various types of logs. Logs can be found according to their file names, or using GUI-based options.

Example of Evidence

Autoruns identifies possible startup locations. Startup programs can be evidence of persistent malware. The programs reside in known folders and registry keys.

CoC Process: CoC Form

Bag and tag it

Linux Log Commands: more

Basic terminal paging program that displays contents page by page

Logon Type IDs: 4

Batch

Containment Strategies: Blocklist/Allowlist Filtering

Block or allow a specific IP address range for network access.

Analysis Capabilities

Boot and Partitions, NTFS and EXT4, Windows Artifacts, Windows Registry, Application Cache

/var/log/boot.log

Boot message data

SANS Steps for Incident Response: Recovery

Bring infected production systems back online.

Browser Search History

Browsers save a user's search history. You can view the search history by clicking the search input line. You can disable auto-complete searches in the browser settings.

Creating ADS

By default, Explorer.exe can load only the default data of the file. Creating and loading data streams are done via CMD. To create an alternate stream, simply add :[stream] to a file's name.

Log Parser Lizard

The top pane is used for queries, the bottom pane displays the results. Charts can be used to discover trends in the logs.

CAINE Live

CAINE is a distribution that runs from a live USB. Its main feature is the ability to run entirely from RAM. It enables real-time forensic acquisition

Query Builder: Microsoft Log Parser 2.2

CLI interface used to parse and investigate logs via SQL.

Microsoft Log Parser 2.2

Can investigate Windows Event logs from files, or from the Event Viewer. Supports many log types, including IIS, CSV, XML, and EVT.

Image Mounting

Captured images can be mounted directly in Linux. The losetup command is used to create a loop device. Loop devices can be mounted the same way as other devices are.

Six Investigation Steps: DLL and Handles

Check DLLs used by various executables.

Six Investigation Steps: Code Injection

Check for malware traces in memory.

Six Investigation Steps: Rootkits

Check for signs of rootkits

Six Investigation Steps: Network

Check network activity and artifacts.

ThreatConnect IOCs

Checking information posted in ThreatConnect can provide details about potential breaches. ThreatConnect provides a list of discovered IOCs. It also provides a way to search for IOCs.

What is CIA?

Cornerstone of an organization's security infrastructure. Helps security practitioners with risk assessment and asset management. Serves as a tool or guide for securing information systems.

/proc/PID/cmdline

Command line arguments.

Hashing

Common identification method. Can prove the identity of specific files.

What is incident Response?

Confronting and managing a security breach or attack. Reducing damage and the cost of the recovery effort. (During an attack, Reduce further damage, Host and network, Tier 2 in SOC)

Timeline

Constructs a picture of all key logged events. Reveals the sequence of events. Mandatory in may forensic reports.

Virtual Drives

Contains RAW + VM data Different formats for different vendors. Space can be dynamically allocated. Can be split across files. A file within the file system

Virtual Memory

Contains RAW and VM data. Different formats for different vendors. The memory can be dynamically allocated. Can be captured by a hypervisor. An allocated area within the memory

Physical Drives

Contains RAW data No format, only bytes The drive has a constant size. A single unit of data A device with mechanical components.

Physical Memory

Contains RAW data. No format, only bytes The memory has a constant size. Requires tools for capture. A device with mechanical components.

MTF Attributes: Data

Contains the data section of the file

Event IDs: 4727

Creation of a security-enabled global group

Image Conversion

Crash dumps and hibernation files cannot be read as is. They require conversion via the imagecopy command.

Chain-of-Custody (CoC)

Critical process. Document actions pertaining to forensic evidence. The process is employed in any field in which forensic evidence must be presented in a court of law. Any action that involves forensic evidence must be documented, or the bad guys will not be punished.

Attack Scenarios: Web

Cross-site scripting

Preparing for an Incident

Create a jump kit with tools to handle an event. Use CD-ROMs or flash drives with RO switches. Build an investigation VM for malware analysis. Work with snapshots after initializing the system. These steps are mandatory for ongoing incident management.

Ransomware Incident: Lessons Learned

Create a report about the incident.

Ransomware Incident: Preparation

Create blacklists of ransomware file extensions. Back up organization data.

/proc/PID/cpu

Current and last cpu in which it was executed.

Threat Intelligence

Cybersecurity is a team effort. Information and threat intelligence must be shared. Knowledge must be shared. Information sharing and analysis organizations (ISAO) should be consulted

Containment Strategies: Black Holing Shunt

DDoS traffic from a malicious network is dropped

DF Scenario: Data Leak

DF can be used to prove data leak events. File carving can be used to identify if files existed on media devices, even after deletion. Hashing can be used to verify file identification.

Common Hiding Mechanisms: AppCert DLLs

DLLs that run in every process can be infected.

/var/log/kern.log

Data logged by the kernel.

Attack Scenarios: Attrition

Defenses are gradually worn down, brute-force attack.

SANS Steps for Incident Response: Preparation

Define critical security incidents. Perform risk assessment. Identify sensitive assets.

Pre-Analysis Notes

Define log analysis goals. Analyze logs to characterize the element that may be involved in an event. Use logs to choose appropriate tools for the investigation. Note that it is not recommended to search through a log line by line.

Should we sit and wait?

Delaying containment is not recommended. Be proactive and apply a containment strategy. Deception systems help containment and intelligence gathering. Apply containment as quickly as possible.

Event IDs: 4726

Deleted by user

Governance Perspective: Procedures

Describe each step required for specific tasks.

XFS

Designed to span multiple storage devices. Divides the file system into mapped blocks of data.

Anomaly Detection

Detecting events that did not previously occur in the system. Determining normal operation of users, per hour, to establish a baseline. There are proprietary systems that offer User Behavior Analytics (UBA) to monitor unusual events. Anomaly detection can trigger false positive alerts.

ThreatConnect

Different threat exchange platforms exists in the market. Their aim is to share information about newly discovered threats. ThreatConnect is an example of a platform that shares information regarding threats.

Coordination: Who do we talk to?: Public Affairs

Diplomatic communication with the public.

/proc/PID/fd

Directory that contains all file descriptors.

Containment Strategies: Host Isolation

Disconnect an infected system from the network

Threat Intelligence Process: Threat Intelligence

Distributed to and produced by ISAO

Deception Systems: Moving Target Defense

Diverts attacker resources to decoy systems.

Six Investigation Steps: Dump

Dump suspicious processes for in-depth analysis.

Proc Directory

Each process listed by ps or lsof is mapped in /proc/. Process directories are based on their PIDs. Each folder contains additional files required for the processes to run.

Containment Strategies: Email Filtering

Email filter controls updated with signatures/LoCs of phishing emails

Most Valuable Asset

Employees are the most valuable assets. Employee skills represent 85% of a company's asset values.

Bottom-up Approach

Employees share their ideas and market observations.

Event Viewer Log Filtering

Enables faster viewing of essential event information. Filters include date and time, event level, event ID, and more. It is also possible to filter by XML.

Deception Systems: Intelligence Gathering

Enables gathering of TTPs.

NTFS Specialties: Indexing

Enables quick access to files stored on devices.

Coordination: Who do we talk to?: Legal Support

Ensures legal & policy compliance

Coordination: Who do we talk to?: Information Assurance

Ensures security controls and policy enforcement.

Confidentiality

Ensures sensitive data is accessed only by authorized individuals.

/proc/PID/environ

Environment variable values.

Environmental Variables

Environmental variables are always saved for each process, and may indicate where a process was executed from.

Incident Responder Responsibilities

Establish an effective incident response plan (IRP) and maintain its effectiveness based on potential threats. Investigate current and past incidents to analyze them. Provide recommendations according to analyzed incident findings.

Coordination: Who do we talk to?: Management

Establishes response policy, budget, and staffing.

Network Forensics: NetworkMiner

Focuses more on artifact recovery than protocol analysis

DF Domains: Network Forensics

Focuses on gathering data about traffic passing through network equipment

DF Domains: Host Forensics

Focuses on gathering data regarding hosts, such as files or memory

What is EXIF?

Includes GPS coordinates, camera models, and the exact time a photo was taken. Can be used as evidence when an investigator recovers photos.

State Capture

For proper investigation, the affected state must be preserved. A capture enables handling a threat and investigating it at the same time. A state capture prevents the loss of evidence.

The Procedure in CoC is Crucial

Forensics experts are careful about details. It is important to acquire evidence prior to eradicating a malicious agent. Other professionals must be informed of what was done to the evidence via the CoC form.

Incident Analysis

Gather information, determine the incident's scope of impact, produce an initial report.

/var/log/messages

Global system messages

Availability

Guarantee of non-stop access to data.

Importance of Methodology: Procedures

Guidelines and instructions

Backup Sites: A Warm Site

Has servers and other resources for backup purposes but is not as ready for switchover as a hot site.

Browser Artifacts: History

Includes entered URLs and webpages marked as favorites

Hashing

Hashing can verify file integrity. Hashing both the capture source and the captured image can prove a file's authenticity. In a criminal investigation, hashes can be used in a court of law to provide evidence of integrity.

Attack Scenarios: Espionage

Hired employees may be selling company secrets.

Threat Information: Tactics, Techniques, Procedures (TTPs)

How an intruder attacks - specific tools, vulnerabilities, botnets, etc.

Known Threat Exchanges

IBM X-Force, OTX, CrowdStrike, Facebook

DFIR Timeline

IR planning should be done prior to an attack. The average time for an attack to be detected is 6 months. Digital Forensics relies on data collected during IR.

Coordination: Who do we talk to?: IT Support

IT Technical experts.

IR for Web Server Defacing

Identify if and how the defacing occurred. Restore the content of the original site from backup. In some cases, the owner may choose to skip DF and restore the site immediately without it.

DF for Web Server Defacing: Identifying Persistence

Identify if any backdoors remain

DF for Web Server Defacing: Intrusion Detection

Identify the intrusion point.

Connections Lookup

If a suspicious connection is found, its IP can be looked up. The IP can also be correlated to a PID.

SANS Steps for Incident Response: Containment

Implement short-term containment and network segment isolation. Shut down hacked servers.

Cloning a drive with FTK

In FTK Imager, the capture is done through an interactive wizard. The wizard prompts the user to choose the drive or partition to clone and the format. Typically, the raw (dd) format is used, and the image is fragmented.

Linux Forensics Methods

In Linux everything has file representation: memory, running processes, etc. Dead and live analysis are similar in many aspects. Most Linux-based data is not binary.

DDL List

In Windows, information can be obtained by inspecting DLLs. DLLs can indicate network activity or access to special system APIs. DLLs for specific processes can be viewed using Dlllist -p. Dlllist displays all DLLs loaded for a process in the system.

IR for Social Engineering

In phishing, SE refers to investigating the message and attached links. In real-world social engineering, the IR team can set up decoys.

Autopsy Features

Includes many tools to enhance the analysis of captured images. These tools include has lookup, file carving, metadata extraction, and others. The tools can extract important data and index data for faster queries.

Drive Inspection Tools: FTK: Proprietary

Includes tools for cloned drive inspection

Suspicious Behavior

Increased traffic, Accessed file types, Service inspection, Domain identification, Persistence.

Attack Scenarios: External Media

Information obtained via USB or external drive.

MTF Attributes: Standard Information

Information such as time stamps and link counts.

Intelligence Gathering: Threat Information

Information that helps understand how an attacker operates to improve protection.

Incident Detection: Precursor

Information that indicates an attack may be imminent.

Log Classification

Informational, Debug, Warning, Error, Alert.

Inode Structure

Inodes are the Linux equivalent of MFT. They map files to the system, without file names, and include timestamps.

Inodes

Inodes can be viewed using the ils and ffstat commands. By default, ils only displays deleted nodes. Inodes can be viewed more elaborately on live systems.

Coordination: Who do we talk to?: Human Resources

Insider threat situations, employees who violate policies.

Kernel Modules

Inspecting the kernel modules may reveal malicious activity. Kernel modules can be hidden, and require a more thorough investigation.

Processes

Instances of computer programs that are being executed. Contain program code and activity.

Intangible Assets

Intellectual property, patents, trademarks, etc.

Logon Type IDs: 2

Interactive login

Asset Definition

Item of value related to organizational objectives. Can be a computer or data. Assets have interrelated characteristics such as value, criticality, and their involvement in business objectives.

Journaling

Keeps track of changes not yet committed to the file system. Journaling can be done on an entire file or just its metadata. Was introduced in Ext3, and improved in Ext4.

Threat Hunting Process: Knowledge

Know your system, and your enemy.

Threat Hunting

Know your system. Know your enemy. Proactively search for system IoCs. Review logs and other data for evidence and IoCs. Share information

Threat Hunting Process

Knowledge, Search, Review, Report, Sharing.

Parental Structures

Legitimate processes have identifiable parent tree structures.

/proc/PID/cwd

Link to the current working directory.

/proc/PID/exe

Link to the process executable.

File System Debugging

Linux has a special utility to debug file systems called Debugfs. Debugfs can also be used to recover files.

Linux Memory: RAM

Linux uses RAM in a similar way to Windows. RAM can be investigated using volatility.

Static Binaries

Live CDs should be mounted as RO. Although the binaries are static, some may rely on other binaries to work. Busybox is also commonly used in such cases.

MTF Attributes: Attribute List

Location of additional attributes outside the MFT.

Linux Log Basics

Logs are different in CentOS/RedHat and Ubuntu/Debian. Almost all log files are located in the /var/log directory. To view or access the log files, you must have root permissions.

/var/log/dpkg.log /var/log/yum.log

Logs data when a package is installed or removed

Undetected Incidents: Log & Artifact Retention

Long log retention and 3rd party experts.

Common Hiding Mechanisms: Bootkit

MBR can be manipulated to load malware upon restart.

MMLS

MMLS is part of The Sleuth Kit. It displays the volume contents with start and end sectors. E01 images must be mounted first by running ewf_mount [image] [path]

Memory Dumping Tools

MWMT, FastDump, FTK Imager, WinPmem The primary difference among memory-capturing tools is the formats they support.

Suspicious Details

Malicious processes will often attempt to copy the names and PIDs of legitimate processes.

Common Hiding Mechanisms: Startup Folder

Malware can be hidden in a start up folder.

Persistence

Malware may use persistence techniques to preserve a foothold in a compromised computer. Persistence techniques may also constitute IOCs. Although many persistence techniques exist, malware developers typically stick to just a few. Since persistence is performed using high-level privileges, many types of malware launch Privilege Escalation attacks.

Attack Scenarios: Impersonation

Man-in-the-Middle, social engineering

Database

Many applications work with database vent logs.

Malware Forensics

Many types of malware have been developed. Each type behaves differently. Malware activity can be discovered by analyzing the behavior of a computer.

Decision Tree

Memory extraction is dependent on the system type. Memory dumping is different for bare-metal and virtual systems. For bare-metal, the acquisition depends on whether the system is on or off.

Decision Tree -Recap

Memory extraction is directly affected by the system's state. Memory dumping is different in bare-metal and virtual systems. For bare-metal, the acquisition depends on whether the system is on or off.

VM Metadata

Memory obtained from VMs will have additional metadata. In a virtual block, this data is saved in a structure called DBGFCOREDECRIPTOR. VMware metadata can be extracted using the vmwareinfo command.

How?

Method or procedure used to handle the evidence. (Example: disk image procedure)

SANS Steps for Incident Response: Identification

Monitor IT systems and detect deviations from normal operation.

Ransomware Incident: Identification

Monitor and look out for blacklisted extensions.

NTFS Specialties: Alternate Data Stream

More than one resource included in a single file.

Browser Search Terms

Most modern browsers successfully save search terms. Some search terms can be derived from URLs.

Hiding Files

Most operating systems only pay attention to the first header. Multiple files may be hidden by concatenating hex data. Saving each hex section will result in a complete file.

Attributes

NTFS uses attributes to save information regarding files. Attributes define data structures for raw bytes. Saved in files called $AttrDef

NIST

National Institute of Standards and Technology. Non-regulatory government agency that develops technology, metrics, and standards. Part of the U.S. Department of Commerce.

Network Data Extraction

Netstat can be used to obtain network information. Netstat can show open and established sockets. This is useful when attempting to identify backdoors.

Logon Type IDs: 3

Network

Logon Type IDs: 8

Network Clear text

SNMP

Network device management

Identifying New Tools

New exploitation tools are being developed every day. Threat Intelligence can help keep track of useful tools and their lists of IOCs. Being aware of possible dangers can improve detection and security preparation.

Undetected Incidents: Undetected Incidents

Not all incidents are obvious or detected.

Commercial Tools

Not many memory-acquisition tools exist in the market. You can use PCI devices, but there aren't many for memory capturing, and they are expensive.

Deleting Logs using the Event Viewer

Not useful, since logs are generated when logs are deleted. SIEM monitors this type of event.

Undetected Incidents: Vigilance

Notice anything out of the ordinary? Do we have the right tools to discover an incident?

Incident Detection: Automation & Orchestration

Obtaining a timeline from host and network-based tools.

Governance Perspective: Policies

Official statements that reflect the stance and direction of top-level management.

Clonezilla Capture Modes: Remote-Source

One of Clonezilla's most important features is that it can clone over the network.

Memory Analysis

One of the most important sources of information. An entire area of expertise. Extremely useful in malware analysis

Fmem Kernel Module

One way to create a memory dump, is to use the fmem kernel module. The kernel module creates /dev/fmem, which can be captured. Because the memory is dynamic, issues may arise when using dd.

Memory Inspection: Volatility Framework

Open-source collection of Python tools supported by both Linux and Windows

Memory Inspection: Rekall

Open-source framework for advanced forensic and incident response

Network Forensics: Wireshark: Static Analysis

Operates on data that was already captured.

Coordination: Who do we talk to?: Physical Security

Organization-wide drills regarding facilities

Disaster Recovery Plan (DRP)

Outlines response strategies for unplanned events. Helps minimize the effects of a disaster. Earthquakes, fires, floods, cyberattacks, and others. Determines which applications must remain operational.

Process Information

PID, Remote connections, File system modifications, Registry changes, DLL usage.

Windows Page File

Page files store data when the RAM is low on space. Although page files may contain useful data, they are not memory files. A page file is investigated by extracting strings.

Incident Response (IR)

Performing actions when a security breach occurs.

Attack Scenarios: Email

Phishing

Tangible Assets

Physical items such as company vehicles, buildings, hardware, software, etc.

Threat Information: Precursors

Point to a possible attack - vendor advisories, detection of vulnerability scanner, nd recon attempts.

Threat Information: Indicators

Point to a probable attack - malicious files reported in logs.

Incident Detection: Indicators

Pointers to an incident that may be underway.

Operation Modes: Mounted Drive

PowerForensics can be used on mounted drives and non-mounted physical drives.

ADS in PowerForensics

PowerForensics can detect alternate streams. If provided with a volume, it will list all files with an ADS. If provided with a path, it will list all the streams of the file.

Operation Modes: Live System

PowerForensics was initially developed as a forensic toolkit for live systems.

Irrecoverable Artifacts

PowerShell history, Prefetch, DNS cache, USB devices During reboot, some artifacts may be partially deleted.

Threat Intelligence Process: Threat Information

Precursors, IoC, TTPs

Prefetch Location

Prefetch files contain process activity cache. If not disabled, Windows stores prefetch files in C:\Windows\Prefetch The files contain metadata regarding the application.

Ransomware Incident

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.

SANS Steps for Incident Response

Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.

SANS Steps for Incident Response: Lessons Learned

Prepare complete documentation of the incident.

Windows Event Viewer

Presents details of events (at the bottom of the window). Each event category has a unique ID. The details section displays events in XML format.

KDBG for System Profiling

Prior to analysis, the memory structure needs to be identified. Volatility uses the _KDDEBUGGER_DATA64 structure to detect the Windows version. Rekall uses global symbol information.

Prioritize Incidents

Prioritize by function, information sensitivity, and difficulty of recovery.

SANS

Private organization established in 1989. Offers research and education in the field of information security.

Threat Hunting Process: Search

Proactively seek evidence and IoCs

Process Investigation

Processes in Linux have file representations. Process files include metadata associated with the process. Processes are mapped in the /proc/directory. The /proc/directory uses tmpfs, meaning the files are saved in volatile memory.

Six Investigation Steps

Processes, DLL and Handles, Network, Code Injection, Rootkits, Dump

LEA

Proprietary Checkpoint Protocol

Forensic Image Formats: E01

Provides compression per file checksum and password protection

Non-Repudiation

Provides proof of the origin and integrity of data. Can be achieved with digital signatures or timestamps.

Process Acquisition

Ps is used in Linux to acquire process information. However, from a forensics perspective, lsof is better. Lsof lists are based on the files used by processes.

Pslist and Pstree

Pslist is a basic plugin used to view the process list. Pstree is more advanced and shows the process hierarchy as well. Alternatively, processes can be corelated using the PID and PPID values. Psxview can also be used to tell if a process is trying to hide.

Memory Dump Formats

RAW, Crush Dump, Hibernation, EWF, AFF4

Capture Formats

RAW, ISO, EWF, dd The capture format is based on the media from which it is captured.

Ransomware Incident: Eradication

Re-image the system's hard drive. Fix vulnerabilities.

Linux Log Commands: head

Reads the first 10 lines of a file.

Linux Log Commands: tail

Reads the last 10 lines of a file

File Carving

Reassembles files from fragments when no metadata is available. File carving can be used to recover partially overwritten files. Carving can sometimes detect poorly hidden files.

Governance Perspective: Guidelines

Recommendations or suggestions that are not necessarily mandatory

NTFS Specialties: Journaling

Recording storage device activity.

Common Hiding Mechanisms: Registry Keys

Regedit can be used to hide and launch programs automatically.

Recoverable Artifacts

Registry entries, File logs, Master file table, Browser history, USB devices

Logon Type IDs: 10

Remote interactive

SANS Steps for Incident Response: Eradication

Remove malware from infected systems. Identify and fix the root cause.

Deleting files from %system32%\winevt\logs

Requires high-level privileges. To execute this, the Event Log service must be disabled. Doesn't delete all recent logs.

IR for Trojan Delivery

Response depends on whether the Trojan was already executed. If executed, it focuses on containment and eradication

SOC Responsibilities

Responsible for the most critical IT systems in a company. Detect, analyze, and respond to cybersecurity incidents. Employ people with high-level skill in IT and cybersecurity.

RACI Table

Responsible, Accountable, Consulted, Informed. The table's main purpose is project management. Used to assign roles and responsibilities for each incident alert.

Ransomware Incident: Recovery

Restore the backup. Search online for a decryption key and decrypt the workstation files.

What is digital forensics?

Revealing and collecting all electronic data without modifying or contaminating it. Preserving evidence and reconstructing past pasts. (After attack, Find evidence, Host and network, Tier 3 in SOC)

Threat Hunting Process: Review

Review logs and data for IoCs

SIFT Workstation

SIFT is a virtual Debian appliance dedicated to DF. Developed by SANS, a leading cybersecurity training institution. Comes as a pre-packed OVA.

SOC Relationship with IR

SOC team isn't responsible for incident handling. During an incident, SOC detects the event and notifies the IR team.

Deleted Files

When a user deletes a file, it is not actually deleted. The file is marked as unallocated. The file will remain in the system until its sector is overwritten.

Cmdscan

Scans for a command line history buffer.

Sockets

Scans for all open sockets. Sockets displays only local open ports. It shows both TCP and UDP ports. Not all ports detected by Conscan will be displayed by sockets. Conscan and Sockets should be used as complementary plugins.

Consoles

Scans for available console information. Consoles is not generally used in Windows.

Connscan

Scans for identifiable TCP connections in older versions of Windows.

Linux Log Commands: grep

Searches for specific strings in files.

Logon Type IDs: 5

Service

Baseline

Sets a standard for normal behavior, for the purpose of comparison. Example: how many 'su' commands are used per hour, each day.

Threat Hunting Process: Sharing

Share threat information with the team

Linux Log Commands: less

Similar to the more command, but with search options.

Statistical Analysis Intro

Some events will not be noticed if they occur only once. When a malicious event occurs only once, it may appear to be a legitimate action. When malicious events occur in large volumes, it is much easier to detect them.

Fileless Malware

Some malware can run in memory without creating files in the system.

Hidden Processes

Some processes may attempt to hide their execution.

DLL Dump

Some DLLs loaded by processes can be dumped. DLLs should be dumped per process. A memory capture can contain thousands of DLLs.

Significance of Live Forensics

Some data may be lost when a computer is turned off. Over time, OS data may be overwritten. Some data may be encrypted when a system is shut down.

Registry Keys

Some registry keys can be extracted from memory. One of the most common keys to check is winlogon.

Customized Tools

Some tools can only be used for specific devices, such as DVRs. Some forensic tools are custom-made for dedicated parsing

File Dumping

Sometimes files are found in memory. Files in memory can be dumped using Dumpfiles. For Dumpfiles to work, the offset must first be found. Files loaded in memory are typically DLLs.

BTRFS

Space-efficient file system. Supports compression and snapshots.

Linux Forensic Acquisition

Static binaries are used for minimal footprint on the system. Binaries should be loaded from a live CD. In most cases, such Rescue CDs are custom made.

Attack Scenarios: Loss/Theft

Stolen laptop or mobile device.

PowerShell Logs

Store historical PowerShell commands. Two ways to view historical PowerShell records: Open PowerShell and click the "up" key; Open the file at the following location: %AppData%\Microsoft\Windows\PowerShell\PSReadLine. PowerShell history helps detect "fileless" attacks.

Why use Logs?

Store information that is not found elsewhere. Record useful information about certain events in the system. Logs can assist help the troubleshooting process when errors occur. Regarded as evidence in a court of law. Required for many GRCs. Included in an incident response investigation.

Browser Cache: Chrome

Stores cache in C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Profile 1\Cache

Browser Cache: Firefox

Stores cache that can be viewed by entering about:cache in the URL field

Cache

Stores images, cookies, etc. Harder to clear The format is different among browsers. May not disclose visited sites Not saved in private mode

Registry

Stores information in key-value format. The registry can help identify persistent threats that execute during boot. One of the keys is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

History

Stores only URLs. Easily cleared. The format is the same among browsers. Explicit indication of visited sites. Not saved in private mode

Forensic Image Formats: AFF

Stores the imaged disk as compressed segments for better saving and metadata of the image.

Event IDs: 4624

Successful logon

Threat Hunting Process: Report

Summarize findings

Boot Record Types: GPT

Supports up to 16 exabytes Supports up to 128 partitions

Boot Record Types: MBR

Supports up to four partitions per storage devices. Works only with storage devices of up to 2 TB.

Swap Digger

Swap Digger is Bash script that automates swap analysis. The script looks up passwords and URLs. Swap digger can operate on live systems and mounted captures.

Network Time Protocol

Syncs clocks across the network. Ensures a more accurate event timeline. Can operate locally, or over the internet.

Threat Information: Protection Profiles

Systems must work with anti-virus apps, patches, and security upgrades.

Threat Hunting vs. Threat Intelligence

TI: Involves obtaining threat-related information from various sources. The technique is used to improve the level of security in an organization. TH: Involves the discovery of seemingly undetectable breaches. The process investigates anomalies and suspicious activity. TH includes forensics, log parsing, and research.

Threat Intelligence Process: Team Review

Teams review threat information

DNS Cache

Temporary database maintained by the computer's OS. Contains records of recent visits to websites and other internet domains.

Linux Log Commands: awk

Text processing program for better log viewing

Containment: Scope & Strategy

The scope of the intrusion must be evaluated to apply an effective strategy.

Linux Memory: SWAP

The Linux equivalent to Page file. Can be a file or an entire partition. The swapon -s command can be used to check the location of the swap.

RunMRU

The Run prompt uses the Most Recently Used (MRU) utility. The registry key is: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU Features such as Find and Printers also use MRU.

JLS and JCAT

The Sleuth Kit provides tools to inspect the journal. JLS lists all the blocks, and JCAT prints information of a given block. The block data itself is usually unreadable, but may include file names.

ICAT

The second step is to extract the raw MFT from the partition. The ICAT tool will extract a raw and unparsed MFT. ICAT uses the sector's offset and length to obtain data.

Integrity

The certainty that data is trustworthy and accurate (unaltered).

Extracting the Executable

The executable for each process can be extracted using a cp. Extraction will work even if the executable was deleted.

AnalyzeMFT

The final step is to parse the raw MFT to a readable file. Use analyzeMFT.py to parse the raw table to a CSV file. analyzeMFT is preinstalled in the SIFT workstation.

Capturable Evidence: Hard Drive

The hard drive may contain file and log evidence.

What to Attack

The host in which logs are generated. Transmitted logs. Agents that collect logs. Database in which logs are stored. Log attacks are aimed at disrupting a service, or changing, deleting, and viewing log data.

Capturable Evidence: Memory

The memory is full of evidence, such as live processes

What is a file system?

The method computers use to manage the storage and retrieval of data. File systems isolate data on storage devices for easier and faster identification and access.

Memory Interaction: Plugins

The most common method is to analyze memory using Volatility

IR Execution: Following the steps

The plan should include various steps, such as containment and eradication.

Containment

The process of endeavoring to stop the spread of a cyber intrusion.

Browser Investigation

The purpose of a browser is to connect to the internet and facilitate a simple and friendly user experience. Browsers typically collect data about a user's searches and other activities. Most of the collected data can be retrieved by analyzing the browser's cache files.

Image Investigation

The traditional way to investigate an image is to open it in a dedicated software tool. An alternative method is to create a VM based on the image. If a drive is encrypted, the preferred method of investigation is to create a VM based on the image.

Process Dumping

This is an important technique in any investigation. Procdump allows dumping a process as an executable. The executable can then be further inspected and analyzed.

BrowserHistoryView

This lightweight tool helps cross-search browsing history. The tool is available from NirSoft. It does not display information such as cached credentials.

Clonezilla Capture Modes: Device-device

This option clones an entire drive or partition to another drive or partition

Clonezilla Capture Modes: Device-Image

This option creates an image capture from an actual drive.

Threat Hunting Cycles

Threat Hunting is often divided into separate categories. The hunt in each category will include different targets. A hunt cycle can be created to change the focus of the Threat Hunting process periodically.

Threat Intelligence Process

Threat Information, Team review, Synthesize & report, Threat intelligence

Intelligence Gathering: Threat Intelligence

Threat information that is processed and analyzed to devise more effective security measures. Threat intelligence is based on threat information and translates it into effective action.

Why do we need IR?

To contain threats and prevent them from spreading and causing additional damage. To help an organization recover after a breach occurs.

Identifying Suspicious Behavior

To identify malware activity, suspicious system behavior must be monitored continuously. Several tools can be used to monitor such behavior, including Wireshark and PowerShell.

Extraction over NC

To prevent writing to disk, data acquisition should be done over the network. Netcat is typically used to send and receive the data. On the compromised host, a static binary or nc (Netcat) is used.

DF for Social Engineering

Traces are usually emails, messages, and suspicious links. The evidence is typically collected from employees. Is followed by threat hunting to determine whether other employees were also affected

Tracking Breaches

Tracking CVEs is often not enough. More information must be gathered online. By sharing information about breach IOCs, a researcher can easily find potential attack vectors. The vectors can be used to compromise a network.

Accountability

Tracks user activities during an incident. Enforced through audits.

MTF Attributes: Index Root

Used to implement folders and other indexes.

Threat Intelligence Process: Synthesize & Report

Turn information into action

Maps and Descriptors

Two other useful commands are maps and fd. Maps lists all loaded libraries. Fd lists all file descriptors.

Windows Logs

Types: Application, Service, Security, System. Application and Service logs include many useful logs, such as PowerShell and Terminal Service. Can be used to troubleshoot BSOD errors. Can be used to investigate successful and failed logons.

Threat Information: Security Alerts

Typically sent by logs or SIEM

URL Identification

URLs represent network-related information not identified in memory. There is no available utility that can be used to scan for URLs. URLs can, however, be retrieved via Strings or Bulk Extractor.

USB Logs

USB connections do not create logs or files. They trigger special events in Event Viewer. UDB connection events can be viewed using USBDeview by NirSoft.

USB Devices

USB is an industry standard device connection, data transfer, and power supply. USB devices belong to one of several classes, including HID, storage, and others.

Linux Log Attacks

Unlike in Windows, manipulating log files is much easier in Linux. Must have sudo permission to modify logs. The following command modifies a log in UNIX-like system: sudo nano /var/log/messages

PowerForensics Scripting

Unlike regular browsing, PowerForensics lists files by parsing the MFT. It enables script-like functionality and smart searching.

Logon Type IDs: 7

Unlock

MTF Attributes: File Name

Up to 255 characters

Containment Strategies: Indicators of Compromise (IoC)

Use and implement patterns of known attacks to prevent attack propagation (e.g. IPS)

ADS Execution

Use the type command to read alternate data. You can execute data in an alternate stream. Execution does not depend on the main data's type.

Dumping Memory in FTK Imager

Use tools like FTK Imager and DumpIt to capture memory in a non-virtual system. The main benefit of FTK Imager is that it can capture the page file. Capture memory using FTK Imager via the RAM icon in the menu at the top.

Syslog

Used by Linux OS with TCP/UDP protocol on port 514.

Event Viewer

Used by Microsoft Windows.

DF Distributions: REMnux

Used mainly as a persistent forensics system for memory artifacts

DF Distributions: Computer Aided INvestigative Environment (CAINE)

Used mainly for acquisition and live forensics

Autopsy

Uses forensic tools from the Sleuth forensic toolkit. Each case to be examined in Autopsy is created separately. A case can include multiple captures.

Virtual Drive Formats

VHD, VMDK, VDI, VHDX

VMware Memory

VMware automatically creates a memory dump whenever a snapshot it taken. Memory files typically will be in .vmem, .vmsn, and .vmss formats. The .vmem files contain both the memory schema and metadata

Attack Scenarios: Improper Usage

Violation of acceptable usage policy, disciplinary action by HR

Memory Capture in VirtualBox

VirtualBox memory acquisition is more technical than other memory acquisitions. VirtualBox starts the VM in debug mode. The memory is captured in the debug console.

Image Splitting

Virtualization software splits a drive into multiple files. To perform an investigation, you will need all the files. Splitting is done to increase read and write speeds.

Malfind

Volatility includes the Malfind plugin that detects possible code injection. Malfind detects executable sections in memory.

Volatility

Volatility is a popular framework used for memory analysis and investigation. It includes various Python-based tools for memory artifact extraction. Google's Rekall rivals Volatility but currently is not as popular.

Third-Party Plugins

Volatility supports third-party plugins that can be used in more complex investigations. The plugins are helpful when analyzing sophisticated attacks. Hollowfind is a plugin used to detect process hallowing attacks.

MTF Attributes: Object ID

Volume-unique ID used by link-tracking services

What?

What evidence was being accessed? (Example: disk image)

Where?

What is the location at which the evidence was accessed?

Encrypted Systems

When loaded into memory, most information will be unencrypted.

Crash Dumps

When the Windows operating system crashes, it creates a memory dump. The size of the memory dump can be defined in the system settings. When the computer recovers, a memory.dmp file will appear in the %systemroot% directory

When?

When was the evidence accessed?

Backup Sites: A Cold Site

Which is the cheapest option, does not always have the necessary equipment to enable the resumption of normal operation.

Who?

Who handled the evidence?

MTF Attributes: Security Descriptor

Who owns the file

CoC Process: Check in/out

Who, What, Where, When, Why, How (5W1H)

Why?

Why was the evidence accessed? (Example: to make a copy)

WinPrefetchView

WinPrefetchView is a tool used to analyze prefetch files. The tool is freely available from NirSoft. It can determine the file's last execution and location.

FlareVM

Windows can be turned into a DF environment using the FlareVM script. The script installs and configures many MA and RE tools.

Hibernation

Windows hibernation files are compressed memory files. Use Volatility's imagecopy tool to convert hibernation files. Hibernation files are classified as system files and are hidden by default.

Legitimate Tree

Windows maintains an organized process hierarchy. Out-of-place processes are easily identifiable. For example, svchost.exe must be executed under servies.exe.

Coordination: Who do we talk to?: BCP/DR

Works closely and in parallel with IRT

Format Conversion

You can convert virtual drives from one format to another. Among such tools, qemu-img is used for this purpose. qemu-img supports many formats and versions.

Attribute Forensics

You can parse attributes in a file system using PowerForensics. The attributes list includes the mapping of data on the drive.

Files & Records

You can use PowerForensics to view files and file information. It can also detect special files, such as $MFT and $Volume.

ZEEK Logs

ZEEK can monitor traffic on its own, or investigate PCAP files. ZEEK outputs log files in a structured format, with predefined names. ZEEK can also be used online to parse small PCAP files.

Artifact Locations: Chrome Favorites

\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Bookmarks

Artifact Locations: Chrome Cookies

\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Cookies.db

Artifact Locations: Chrome URLs

\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\History

Artifact Locations: Firefox Cookies

\Users\[user]\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default\cookies.sqlite

Capture Tools

dd, Clonezilla, FTK Imager, Acronis, Falcon