2. #whoami
• Head of united monitoring/lead security expert at QIWI
• Past: Security analyst at GE Capital, independent security
consultant at fintech, systems/network administrator
3. Enterprise forensics: use cases
• Internal incidents
• User behavior related (suspicious attachments etc)
• Internal fraud
• External incidents
• Online banking
• Targeted malware
And special thanks to Red Team for mastering our
forensics skills ;)
4. Let’s get this party started
• Write down all the non-technical incident details
• Possibility of live response?
• Grab all the checksums/hardware details/images/etc
• Inspect all the related systems (if applicable)
5. Live Response: common
• Date and time, ntp settings
• Network: connections, active network software, routing
• Running processes and services
• Scheduled jobs
• Users and groups
• Logs, active memory and swap full dump
• Disk image
7. Live Response: Windows-specific
• DLLs, setupapi.log
• Mapped drives, opened shares
• Prefetch
• Policies
• RAW registry files (hives)
• Autorun, NTUSER.DAT from all accounts
8. Live Response: toolkit
Linux:
• Built-in: nc, netstat, lsof, ps, strace, strings, dmesg, dd
and so on
Windows:
• MIR-ROR script/Sysinternals suite
• Mandiant’s memoryze
Specific tools: WinFE, Sleuthkit, AccessData FTK imager,
EnCase Forensic Imager/LinEn, Magnet RAM Capture,
ewfacquire/libewf
9. Imaging
• Prepare a proper drive for imaging. Wipe&format if
needed
• You may use some special tools during Live Response or
just a Linux/WinFE live CD
• Never. Mount. Original. Evidence. Partitions.
10. Carving: deep dive into non-volatile evidences
• Before you begin:
• Prepare image/device write protection
• Write up all inputs: devices S/N, acquired images or
files checksums, device or image “healthcheck”
status
11. Carving: basics
• Mount all evidences copy in RO mode (OSFMount,
FTK Imager, mount –o ro)
• Capture all the hierarchy
• Create timelines (fls, regtime.pl, PowerForensics)
• Collect all executables and run them against known
file filter or any similar tool
12. Carving: so…what?
Sorry guys. No universal recipe here.
• Take one more look at your initial incident details
• Review log files (or utilize Splunk/ELK for drill down)
• Review all accounts related information
• Review timelines, files created in incident timeframe
• Put all KFF non-filtered files to malwr/virustotal or
standalone cuckoo server
• Review all the found scripts
14. Carving: internal investigations and human factor
The most common interesting files if there’s a
”suspicious user” in place
- IM logs
- Browsers history and cache
- Recently opened files and downloads
- Devices history
- Remote control tools artefacts
15. Carving: Enterprise insides
• Export all the related information from your security
tools (IDS/IPS, firewall logs, proxies, SIEM records, DLP,
AV alerts)
• Sometimes the initial point of compromise is not what
you’ve suspected
• If you do not see something strange in your SIEM – it is
not a reason to relax.
17. QIWI Forensic Lab: Toolkit
• AccessData: Forensic Toolkit v6, PRTK, Imager, Registry
viewer, KFF.
• R-studio
• IDA Pro
• Redline
• And a lot of other small Santa’s helpers (log2timeline,
srch_strings, Volatility framework, OSFMount, EDD,
Nirsoft tools etc)
18. Reporting. I know you hate it.
Common information:
• Case summary (brief overview what’s happened and when)
• Serial numbers, make, model etc.
• All the preparation steps
Investigation process:
• Tools used, start and end dates
• Detailed information about process – artifacts, pictures,
documents…
Conclusion