For a college course in incident response More info: https://samsclass.info/152/152_F22.shtml

1. CNIT 152:
Incident
Response
11 Analysis Methodology
Updated 10-19-22

2. Process

3. De
fi
ne Objectives

4. Background
• You must have a commanding knowledge of
both the situation and the technology,
understanding
:
• What are you looking to determine
?
• Is it possible to form a conclusion from the
facts you have
?
• How long will it take?

5. Background
• What resources will you need
?
• Who is interested in your results
?
• What do they plan to do with them?

6. Leadership
• Identify who will de
fi
ne the objective
s
• Ensure that the entire investigative team knows
who that person i
s
• This prevents miscommunication and loss of
focus

7. Proving a Negative
• Don't attempt to "prove" that a server was not
compromise
d
• That task is dif
fi
cult or impossibl
e
• Because you won't have enough informatio
n
• Audit trails don't cover every actio
n
• Logs don't go back to the start of time

8. Positive Goals
• Look for a set of indicators of compromis
e
• State if you can
fi
nd an
y
• If indicators are reasonable
,
• You can state an opinion that the system was
likely not compromise
d
• But you don't know for sure

9. Realistic Questions
• Is malware present on this computer
?
• Not realistic to determine for sur
e
• Is there an active
fi
le with this speci
fi
c MD5
hash on this computer
?
• Realistic, easy to answer

10. Scope
• Too vague
:
• Look at this hard driv
e
• Look at all e-mai
l
• Better
:
• Review all active .pst
fi
les for any email Bob
Smith received within the last month

11. Why?
• Always ask "Why?
"
• Keep asking questions until the stakeholders
come to a consensus about the scope and
purpose of the analysi
s
• Analyst may need to de
fi
ne the objectives
because the company representatives don't
understand what is possible or reasonable

12. Know Your Data

13. Where is Data Stored?
• Desktop and laptop computer
s
• Hard drive
s
• External storag
e
• Virtual desktops--no local storage, everything
on centralized virtualization infrastructure

14. Where is Data Stored?
• Server
s
• Data centers, server rooms, or
communication closet
s
• Often rack-mounte
d
• At least one hard drive for operating syste
m
• May contain additional drives, or use
external storage solutions exclusively,
especially for virtual servers

15. Where is Data Stored?
• Mobile device
s
• Phones, personal digital assistants (PDAs),
tablet, wearable computer
s
• Small amount of nonvolatile storag
e
• Flash memor
y
• Expansion slots and ports for external
storage devices

16. Where is Data Stored?
• Storage solutions and medi
a
• USB
fl
ash drives and hard drive
s
• CDs and DVD
s
• Network Attached Storage (NAS
)
• Storage Area Network (SAN)

17. Where is Data Stored?
• Network Device
s
• Firewalls, switches, router
s
• Typically don't store user dat
a
• Contain con
fi
guration and logging data

18. Where is Data Stored?
• Cloud service
s
• Off-site third-party service hosting dat
a
• Hosted email, timesheets, payroll, human
resource
s
• Dropbox, Google Drive, etc.

19. Where is Data Stored?
• Backup
s
• Can be stored on local device
s
• Disaster recovery plan requires off-site
backup
s
• Most commonly on tape, but could be on USB
drives or DVD
s
• Cloud-based, like Carbonite or Mozy

20. What's Available?
• Four types of evidenc
e
• Operating syste
m
• Application
s
• User dat
a
• Network services and instrumentation

21. Operating System
• File systems like NTFS and HFS
+
• State information such as running processes
and open network port
s
• OS log
s
• OS-speci
fi
c data sources, like Windows registry,
Unix syslog, and Apple plist
fi
les

22. File Systems
• Can be independent of operating system
s
• General concepts
:
• Allocation unit
s
• Active
fi
les, deleted
fi
le
s
• Timestamp
s
• Unallocated (free) space,
fi
le slac
k
• Partition tables

23. File Systems
• Unique characteristics, data, and artifact
s
• NTFS
fi
lename timestamps (link Ch 11i
)
• NTFS data stream
s
• UFS inode
s
• HFS resource fork
s
• File Allocation Table for FAT12, 16, and 32

24. Brian Carrier's Book
• From 200
5
• Authoritativ
e
• Very detaile
d
• Link Ch 11b

25. Application-Speci
fi
c
Artifacts
• Internet browser cach
e
• Database
fi
le
s
• Web server log
s
• Chat program user preferences and log
s
• Email client data
fi
le
s
• Often left behind when applications are
uninstalled

26. User Data
• Email, documents, spreadsheets, source cod
e
• May be on their day-to-day syste
m
• Or other systems throughout the environmen
t
• May be in centralized locations for each user

27. Network Services and
Instrumentation
• DHCP, DNS, Proxy server
s
• Network
fl
ow dat
a
• IDS/IPS system
s
• Firewalls

28. Access Your Data

29. Raw Data
• May be
• Encrypted, compressed, or encode
d
• In a custom forma
t
• Provided on original hard drive
s
• Contained in hard drive image
s
• Broken

30. Ask Questions
• Determine what you hav
e
• If someone else provides the data,
• You must ask good question
s
• You may have trouble using the data you
receive

31. Disk Images
• May be encrypte
d
• Could be logical copy, forensic image, or clon
e
• Could be from a RAI
D
• Three common formats
:
• Expert Witness (E01
)
• Raw (DD
)
• Virtual machine disk
fi
les (VMDK, OVF)

32. Converting Disk Formats
• EnCase can handle all three common formats
directl
y
• AccessData's FTK Imager can create, convert,
and view disk images for many format
s
• In Linux, you can mount DD images with
Filesystem in Userspace (FUSE) and mount E01
images with libewf

33. Data Encoding
• All three are "the password is solvecrime" i
n
• Base6
4
• UU encoding (link Ch 11k
)
• MD5 hash

34. Broken Lines
• This
fi
le contains credit card number
s
• But a simple text search won't
fi
nd them
because the lines are broken by the
hexadecimal values

35. Lindell's "PCAPs"
• https://twitter.com/pwnallthethings/status/1400818279292284931

36. Localizations
• Different conventions fo
r
• Times, dates, numbers, characters, etc
.
• Many different formats for dates even at the
same location

37. Analyze Your Data

38. Example: Data Theft
• Start with these types of evidenc
e
• Network anomalie
s
• Common host-based artifacts of data theft

39. Network Anomalies
• Network
fl
ow dat
a
• High outbound volume of data on a single da
y
• Unusual level of traf
fi
c over certain protocols
or port
s
• Proxy logs, DNS logs,
fi
rewall log
s
• Look for anything suspicious, such as failed
login attempts

40. Host-Based Artifacts of Data
Theft

41. Look for Malware

42. Legitimate Tools
• LOLBINs "Living off the land
"
• cmd.exe in a folder other than
WindowsSystem32 is suspiciou
s
• Many compromises use normal system tools,
not malware

43. Plan Tasks
• Example: search for abnormal user login time
s
• Do you already have a way to automate that
process
?
• You may need to develop a technique, or
perform steps manuall
y
• Consider volume of data, time required to
process, who is available to work on it, and how
likely the data source is to answer your
question

44. Select Methods
• General methods

45. External Resources
• Contains MD5 and SHA1 hashes of known
fi
le
s
• Exclude known harmless
fi
les from analysis

46. VirusTotal
• The standard to test suspicious
fi
le
s
• Links to many virus database
s
• Can work with
fi
les or hashes

47. VirusTotal Demo
• 1bb93d8cc7440ca2ccc10672347626fa9c3f227f46
ca9d1903dd360d9264cb47
• Behavior, Microsoft Sysinternals, svchost in
strange folder, Run keys
• https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html

48. VirusTotal Demo
• 1247bb4e1d0aa5aec6fadccaac6e898980ac33b16
b69a4aa48fc6e2fb570141d
• Behavior, Microsoft Sysinternals, Files Dropped,
Email
• https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html

49. Manual Review
• Small items such as
fl
oppy disks can be
searched in their entirety manuall
y
• Sometimes it's faster to just search manually
than to
fi
gure out a shortcu
t
• Manual review is also good to validate the
results obtained from other method
s
• Select important samples to review

50. Don't Trust Tools Too Much
• There are many tools that help forensic
s
• Data visualizatio
n
• Browser artifact analysi
s
• Malware identi
fi
catio
n
• File system metadata reportin
g
• ALWAYS VERIFY IMPORTANT FINDING
S
• Manually, or with a second too
l
• Every tool has bugs

51. Data Minimization:
Sorting & Filtering
• File system metadata may have hundreds or
thousands of
fi
le
s
• Need to exclude irrelevant data & focus on the
important dat
a
• Sort and
fi
lter b
y
• Date,
fi
lename, other attributes

52. Statistical Analysis
• You don't know exactly what you are looking fo
r
• Or how to
fi
nd i
t
• Use statistical analysis to uncover patterns or
anomalie
s
• Ex: Web server log
s
• Use a log analysis tool to parse data

53. Sawmill
• Link Ch 11a

54. String or Keyword Search
• Create a list of strings relevant to the cas
e
• Search the
fi
les for those string
s
• Emails, Word documents, etc
.
• Find more strings in those
fi
les and repea
t
• You're done when you aren't
fi
nding any new
strings to search for

55. Unallocated and Slack
Space
• Unallocated blocks often contain portions of
deleted
fi
le
s
• Unused bytes at the end of active
fi
les may also
contain fragments of old
fi
le
s
• They can both be searched by forensic suites
like EnCase, FTK, and Autopsy

56. File Carving
• Look for
fi
le headers and footers in unallocated
spac
e
• Or other raw data, such as a drive imag
e
• Attempt to reconstruct
fi
le
s
• Usually by just taking all data from the header
to the foote
r
• Foremost is a good
fi
le-carving tool

57. Evaluate Results

58. When to Evaluate Results
• Periodically throughout the analysis proces
s
• Are you making real progress, or wasting time
on a blind alley
?
• At the en
d
• How well has your analysis answered the
investigative questions?

59. Ch 11