This document provides an overview of the incident response analysis methodology. It discusses establishing objectives, understanding the situation and resources needed. Leadership is important to define objectives and prevent miscommunication. The analysis should focus on answering realistic questions within the defined scope. All data sources like operating systems, applications, user data, and networks should be understood. Various analysis methods are described like reviewing anomalies, host artifacts, malware analysis, tools, and manual review. The results should be periodically evaluated for progress and completeness in answering questions.

1. CNIT 152:
Incident
Response
11 Analysis Methodology
Updated 10-21-21

2. Process

3. De
fi
ne Objectives

4. Background
• You must have a commanding knowledge of
both the situation and the technology,
understanding
:
• What are you looking to determine
?
• Is it possible to form a conclusion from the
facts you have
?
• How long will it take?

5. Background
• What resources will you need
?
• Who is interested in your results
?
• What do they plan to do with them?

6. Leadership
• Identify who will de
fi
ne the objective
s
• Ensure that the entire investigative team knows
who that person i
s
• This prevents miscommunication and loss of
focus

7. Proving a Negative
• Don't attempt to "prove" that a server was not
compromise
d
• That task is dif
fi
cult or impossibl
e
• Because you won't have enough informatio
n
• Audit trails don't cover every actio
n
• Logs don't go back to the start of time

8. Positive Goals
• Look for a set of indicators of compromis
e
• State if you can
fi
nd an
y
• If indicators are reasonable
,
• You can state an opinion that the system was
likely not compromise
d
• But you don't know for sure

9. Realistic Questions
• Is malware present on this computer
?
• Not realistic to determine for sur
e
• Is there an active
fi
le with this speci
fi
c MD5
hash on this computer
?
• Realistic, easy to answer

10. Scope
• Too vague
:
• Look at this hard driv
e
• Look at all e-mai
l
• Better
:
• Review all active .pst
fi
les for any email Bob
Smith received within the last month

11. Why?
• Always ask "Why?
"
• Keep asking questions until the stakeholders
come to a consensus about the scope and
purpose of the analysi
s
• Analyst may need to de
fi
ne the objectives
because the company representatives don't
understand what is possible or reasonable

12. Know Your Data

13. Where is Data Stored?
• Desktop and laptop computer
s
• Hard drive
s
• External storag
e
• Virtual desktops--no local storage, everything
on centralized virtualization infrastructure

14. Where is Data Stored?
• Server
s
• Data centers, server rooms, or
communication closet
s
• Often rack-mounte
d
• At least one hard drive for operating syste
m
• May contain additional drives, or use
external storage solutions exclusively,
especially for virtual servers

15. Where is Data Stored?
• Mobile device
s
• Phones, personal digital assistants (PDAs),
tablet, wearable computer
s
• Small amount of nonvolatile storag
e
• Flash memor
y
• Expansion slots and ports for external
storage devices

16. Where is Data Stored?
• Storage solutions and medi
a
• USB
fl
ash drives and hard drive
s
• CDs and DVD
s
• Network Attached Storage (NAS
)
• Storage Area Network (SAN)

17. Where is Data Stored?
• Network Device
s
• Firewalls, switches, router
s
• Typically don't store user dat
a
• Contain con
fi
guration and logging data

18. "The county has, for whatever reason, also refused to produce
the network routers. We want the routers, Sonny, Wendy, we
got to get those routers, please. The routers. Come on, Kelly,
we can get those routers. Those routers ... Why are these
commissioners
fi
ghting not to give the routers?"

19. Where is Data Stored?
• Cloud service
s
• Off-site third-party service hosting dat
a
• Hosted email, timesheets, payroll, human
resource
s
• Dropbox, Google Drive, etc.

20. Where is Data Stored?
• Backup
s
• Can be stored on local device
s
• Disaster recovery plan requires off-site
backup
s
• Most commonly on tape, but could be on USB
drives or DVD
s
• Cloud-based, like Carbonite or Mozy

21. "... an Apple staffer reset and
restored the iPhone 6 using his
iCloud backup
"
https://www.nbcnews.com/news/us-
news/rudy-giuliani-needed-apple-
genius-help-unlock-his-iphone-after-
n1074241

22. What's Available?
• Four types of evidenc
e
• Operating syste
m
• Application
s
• User dat
a
• Network services and instrumentation

23. Operating System
• File systems like NTFS and HFS
+
• State information such as running processes
and open network port
s
• OS log
s
• OS-speci
fi
c data sources, like Windows registry,
Unix syslog, and Apple plist
fi
les

24. File Systems
• Can be independent of operating system
s
• General concepts
:
• Allocation unit
s
• Active
fi
les, deleted
fi
le
s
• Timestamp
s
• Unallocated (free) space,
fi
le slac
k
• Partition tables

25. File Systems
• Unique characteristics, data, and artifact
s
• NTFS
fi
lename timestamps (link Ch 11i
)
• NTFS data stream
s
• UFS inode
s
• HFS resource fork
s
• File Allocation Table for FAT12, 16, and 32

26. Brian Carrier's Book
• From 200
5
• Authoritativ
e
• Very detaile
d
• Link Ch 11b

27. Application-Speci
fi
c
Artifacts
• Internet browser cach
e
• Database
fi
le
s
• Web server log
s
• Chat program user preferences and log
s
• Email client data
fi
le
s
• Often left behind when applications are
uninstalled

28. User Data
• Email, documents, spreadsheets, source cod
e
• May be on their day-to-day syste
m
• Or other systems throughout the environmen
t
• May be in centralized locations for each user

29. Network Services and
Instrumentation
• DHCP, DNS, Proxy server
s
• Network
fl
ow dat
a
• IDS/IPS system
s
• Firewalls

30. Access Your Data

31. Raw Data
• May be
• Encrypted, compressed, or encode
d
• In a custom forma
t
• Provided on original hard drive
s
• Contained in hard drive image
s
• Broken

32. Ask Questions
• Determine what you hav
e
• If someone else provides the data,
• You must ask good question
s
• You may have trouble using the data you
receive

33. Disk Images
• May be encrypte
d
• Could be logical copy, forensic image, or clon
e
• Could be from a RAI
D
• Three common formats
:
• Expert Witness (E01
)
• Raw (DD
)
• Virtual machine disk
fi
les (VMDK, OVF)

34. Converting Disk Formats
• EnCase can handle all three common formats
directl
y
• AccessData's FTK Imager can create, convert,
and view disk images for many format
s
• In Linux, you can mount DD images with
Filesystem in Userspace (FUSE) and mount E01
images with libewf

35. Data Encoding
• All three are "the password is solvecrime" i
n
• Base6
4
• UU encoding (link Ch 11k
)
• MD5 hash

36. Broken Lines
• This
fi
le contains credit card number
s
• But a simple text search won't
fi
nd them
because the lines are broken by the
hexadecimal values

37. Lindell's "PCAPs"
• https://twitter.com/pwnallthethings/status/1400818279292284931

38. Localizations
• Different conventions fo
r
• Times, dates, numbers, characters, etc
.
• Many different formats for dates even at the
same location

39. Analyze Your Data

40. Example: Data Theft
• Start with these types of evidenc
e
• Network anomalie
s
• Common host-based artifacts of data theft

41. Network Anomalies
• Network
fl
ow dat
a
• High outbound volume of data on a single da
y
• Unusual level of traf
fi
c over certain protocols
or port
s
• Proxy logs, DNS logs,
fi
rewall log
s
• Look for anything suspicious, such as failed
login attempts

42. Host-Based Artifacts of Data
Theft

43. Look for Malware

44. Legitimate Tools
• LOLBINs "Living off the land
"
• cmd.exe in a folder other than
WindowsSystem32 is suspiciou
s
• Many compromises use normal system tools,
not malware

45. Plan Tasks
• Example: search for abnormal user login time
s
• Do you already have a way to automate that
process
?
• You may need to develop a technique, or
perform steps manuall
y
• Consider volume of data, time required to
process, who is available to work on it, and how
likely the data source is to answer your
question

46. Select Methods
• General methods

47. External Resources
• Contains MD5 and SHA1 hashes of known
fi
le
s
• Exclude known harmless
fi
les from analysis

48. VirusTotal
• The standard to test suspicious
fi
le
s
• Links to many virus database
s
• Can work with
fi
les or hashes

49. VirusTotal Demo
• 1bb93d8cc7440ca2ccc10672347626fa9c3f227f46
ca9d1903dd360d9264cb47
• Behavior, Microsoft Sysinternals, svchost in
strange folder, Run keys
• https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html

50. VirusTotal Demo
• 1247bb4e1d0aa5aec6fadccaac6e898980ac33b16
b69a4aa48fc6e2fb570141d
• Behavior, Microsoft Sysinternals, Files Dropped,
Email
• https://blog.virustotal.com/2021/10/virustotal-multisandbox-microsoft.html

51. Manual Review
• Small items such as
fl
oppy disks can be
searched in their entirety manuall
y
• Sometimes it's faster to just search manually
than to
fi
gure out a shortcu
t
• Manual review is also good to validate the
results obtained from other method
s
• Select important samples to review

52. Don't Trust Tools Too Much
• There are many tools that help forensic
s
• Data visualizatio
n
• Browser artifact analysi
s
• Malware identi
fi
catio
n
• File system metadata reportin
g
• ALWAYS VERIFY IMPORTANT FINDING
S
• Manually, or with a second too
l
• Every tool has bugs

53. Data Minimization:
Sorting & Filtering
• File system metadata may have hundreds or
thousands of
fi
le
s
• Need to exclude irrelevant data & focus on the
important dat
a
• Sort and
fi
lter b
y
• Date,
fi
lename, other attributes

54. Statistical Analysis
• You don't know exactly what you are looking fo
r
• Or how to
fi
nd i
t
• Use statistical analysis to uncover patterns or
anomalie
s
• Ex: Web server log
s
• Use a log analysis tool to parse data

55. Sawmill
• Link Ch 11a

56. String or Keyword Search
• Create a list of strings relevant to the cas
e
• Search the
fi
les for those string
s
• Emails, Word documents, etc
.
• Find more strings in those
fi
les and repea
t
• You're done when you aren't
fi
nding any new
strings to search for

57. Unallocated and Slack
Space
• Unallocated blocks often contain portions of
deleted
fi
le
s
• Unused bytes at the end of active
fi
les may also
contain fragments of old
fi
le
s
• They can both be searched by forensic suites
like EnCase, FTK, and Sleuthkit

58. File Carving
• Look for
fi
le headers and footers in unallocated
spac
e
• Or other raw data, such as a drive imag
e
• Attempt to reconstruct
fi
le
s
• Usually by just taking all data from the header
to the foote
r
• Foremost is a good
fi
le-carving tool

59. Evaluate Results

60. When to Evaluate Results
• Periodically throughout the analysis proces
s
• Are you making real progress, or wasting time
on a blind alley
?
• At the en
d
• How well has your analysis answered the
investigative questions?

61. Example
• I participated in the Dept. of Defense Bug
Bounty program earlier this yea
r
• I ran a vulnerability scanner on the DoD sit
e
• It reported 300 Remote Code Execution vuln
s
• Manual testing showed they were false positives

62. Ch 11