SlideShare a Scribd company logo

SANS Digital Forensics and Incident Response Poster 2012

Rian Yulian
Rian Yulian

This document outlines a 13-step process for analyzing a system for signs of malware infection. The steps include: reducing evidence files, performing antivirus checks, searching for indicators of compromise, automated and manual memory analysis, checking for persistence mechanisms, entropy/packing analysis, reviewing event logs, timeline analysis, third-party hash lookups, and analyzing MFT and file time anomalies. The goal is to methodically narrow down thousands of files to the few most likely to be malware through successive rounds of filtering and examination.

Technology
1 of 1
Download to read offline
STEP 1: Prep Evidence/Data Reduction • Carve and Reduce Evidence - Gather Hash List from similar system (NSRL, md5deep) - Carve/Extract all .exe and .dll files from unallocated space • foremost • sorter (exe directory) • bulk_extractor • Prep Evidence - Mount evidence image in Read-Only Mode - Locate memory image you collected - Optional: Convert hiberfil.sys (if it exists to raw memory image) using volatility STEP 2: Anti-Virus Checks Run the mounted drive through an Anti Virus Scanner with the latest updates. Anti-virus scanners employ hundreds of thousands of signatures that can quickly identify well-known malware on a system. First, download the latest anti-virus signatures and mount your evidence for analysis. Use a“deep”scan when available and consider scanning your mounted drive with multiple anti-virus engines to take advantage of their scanning and signature differences. Get in the habit of scanning files exported from your images such as deleted files, data carving results, Sorter output, and email attachments. While anti-virus will not be effective on 0-day or unknown malware, it will easily find the low hanging fruit. STEP 3: Indicators of Compromise Search Using indicators of compromise (IOCs) is a very powerful technique to identify malware components on a compromised host. IOCs are implemented as a combi- nation of boolean expressions that identify specific characteristics of malware. If these characteristics are found, then you may have a hit. An IOC should be gener- al enough to find modified versions of the same malware, but specific enough to limit false positives. There are two types of indicators: Host based (shown above), and Network based (similar to snort signatures plus additional data). The best IOCs are usually created by reversing malware and application behavioral analysis. What Works? OpenIOC Framework - openioc.org IOC Editor IOC Finder YARA Project STEP 4: Automated Memory Analysis • Behavior Ruleset - Code injection detection - Process Image Path Verification • svchost outside system32 = Bad - Process User Verification (SIDs) • dllhost running as admin = Bad - Process Handle Inspection • iexplore.exe opening cmd.exe = Bad • )!voqa.i4 = known Poison Ivy mutant • Verify Digital Signatures - Only available during live analysis - Executable, DLL, and driver sig checks - Not signed? • Is it found in 75% of all processes? What Works? MANDIANT Redline www.mandiant.com/products/free_software/redline Volatility Malfind: http://code.google.com/p/volatility STEP 5: Evidence of Persistence Malware wants to hide, but it also wants to survive a reboot. Malware persistence is extremely common and is an excellent way to find hidden malware. Persistence comes in many forms. The simplest mechanism is via scheduled tasks and the“at” command. Other popular persistence mechanisms include Windows Services and auto-start locations. An adversary can run their malware as a new service or even replace an existing service. There are numerous Windows Registry mechanisms to auto-start an executable at boot or login. Using a tool called autorunsc.exe will eas- ily parse the autostart locations across scheduled tasks, services, and registry keys. While these are the most common, keep in mind there are more advanced tech- niques. For example the Mebromi malware even flashes the BIOS to persist. Attacks of this nature are rare because even the simplest of techniques are effective, allowing attackers to maintain persistence for long periods of time without being discovered. What Works? Autorunsc.exe from Microsoft sysinternals http://technet.microsoft.com/en-us/sysinternals/bb963902 STEP 6: Packing/Entropy Check • Scan the file system or common locations for possible malware - Indication of packing - Entropy test - Compiler and packing signatures identification - Digital signature or signed driver checks What Works? MANDIANT Red-Curtain http://www.mandiant.com/resources/download/red-curtain DensityScout http://cert.at/downloads/software/densityscout_en.html Sigcheck - http://technet.microsoft.com/en-us/sysinternals/bb897441 STEP 7: Review Event Logs What Works? logparser - http://www.microsoft.com/download/en/details.aspx?id=24659 Event Log Explorer - http://eventlogxp.com Log Parser Lizard - http://www.lizard-labs.net STEP 8: Super Timeline Examination Once you are down to about 10-20 candidates, it is a good time to identify where those files show up in your timeline. The additional context of seeing other files in close temporal proximity to your candidates allows you to identify false positives and focus on those files most likely to be malicious. In the above example, we see the creation of the file winsvchost.exe in the C:Windows System32 directory. If this were one of your candidate files, you would clearly see artifacts that indicate a spearphishing attack surrounding that file’s creation time. Notably, an .XLS file was opened via email, winsvchost.exe was executed, an auto-start persistence mechanism was created and finally, a network socket was opened. All within one second! Contextual clues in temporal proximity to the files you are examining are quite useful in your overall case. What Works? log2timeline found in SIFT Workstation http://computer-forensics.sans.org/community/downloads STEP 9: By-Hand Memory Analysis Memory analysis is one of the most powerful tools for finding malware. Malware has to run to be effective, creating a footprint that can often be easily discovered via memory forensics. A standard analysis can be broken down into six major steps. Some of these steps might be conducted during incident response, but using a memory image gives deeper insight and overcomes any rootkit techniques that malware uses to protect itself. Memory analysis tools are operating system specific. Since each tool gathers and displays information differently, use multiple tools to check your results. What Works? Volatility http://code.google.com/p/volatility Mandiant Redline www.mandiant.com/products/free_software/redline STEP 10: By-Hand 3rd Party Hash Lookups Hash lookups to eliminate known good files and identify known bad files is a useful technique when narrowing down potential malware. Bit9 FileAdvisor is a free search engine for querying Bit9’s application whitelisting database. It is available via online lookup, as well as via a downloadable utility (http://fileadvisor.bit9.com/services/wu/latest/FileAdvisor.msi). The National Software Reference Library also provides a robust set of known good hashes for use. VirusTotal will scan a file through over 40 different A/V scanners to determine if any of the current signatures detect the malware. VirusTotal also allows its database to be searched via MD5 hashes, returning prior analyses for candidate files with the same MD5. What Works? VirusTotal www.virustotal.com and bit9 http://fileadvisor.bit9.com NSRL Query http://nsrlquery.sourceforge.net STEP 11: MFT Anomalies A typical file system has hundreds of thousands of files. Each file has its own MFT Record Number. Because of the way operating systems are installed, it’s normal to see files under entire directory structures written to disk with largely sequential MFT Record Number values. For example, above is a partial directory listing from a Windows NTFS partition’s %system32% directory, sorted by date. Note that the MFT Record Number values are largely sequential and with some exceptions, tend to align with the file creation times. As file systems are used over the years and new patches are applied causing files to be backed up and replaced, the ordering of these files by MFT Record Number numbers can break down. Surprisingly, this ordering remains intact enough on many systems, even after years of use, that we can use it to spot files of interest. This will not happen every time as MFT entries are recycled fairly quickly, but in many cases an outlier can be identified. STEP 12: File-Time Anomalies • Timestamp Anomalies - $SI Time is before $FN Time - Nanoseconds values are all zeroes One of the ways to tell if file time backdating occurred on a windows machine is to examine the NTFS $Filename times compared to the times stored in $Standard Information. Tools such as timestomp allow a hacker to backdate a file to an arbitrary time of their choosing. Generally, hackers do this only to programs they are trying to hide in the system32 or similar system directories. Those directories and files would be a great place to start. Look to see if the $Filename (FN) creation time occurs after the $Standard Info creation time as this often indicates an anomaly. What Works? analyzeMFT.py found on SIFT Workstation and www.integriography.com log2timeline found on SIFT Workstation STEP 13: You Have Malware! Now What? • Hand it to Malware Analyst - FOR610 – RE Malware - Hand over sample, relevant configuration files, memory snapshot • Typical Output from Malware Analyst - Host-based indicators - Network-based indicators - Report on malware capabilities and purpose • You can now find additional systems compromised by the malware you found Finding Unknown Malware – Step-By-Step Finding unknown malware is an intimidating process to many, but can be simplified by following some simple steps to help narrow your search. This is not an easy process, but using the techniques in this chart you will learn how to narrow the 80,000 files on a typical machine down to the 1-4 files that is possible malware. This process of Malware Funneling is key to your quick and efficient analysis of compromised hosts and will involve most of the skills you have built up across both FOR408 Windows Forensics and FOR508 Advanced Forensics and Incident Response Windows Time Rules $ S T D I N F O $ F I L E N A M E Modified – No Change Access – No Change Creation – No Change Metadata – Changed Modified – No Change Access – No Change Creation – No Change Metadata – Changed Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – Change Access – No Change Creation – No Change Metadata – Changed Modified – Change Access – No Change Creation – No Change Metadata – Changed Modified – No Change Access – Change NoChangeon Vista/Win7 Creation – No Change Metadata – Changed Modified – No Change Access – Change Creation – No Change Metadata – Changed Modified – No Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed File Rename Local File Move Volume File Move File Copy File Access File Modify File Creation File Deletion File Rename Local File Move Volume File Move File Copy File Access File Modify File Creation File Deletion Digital Forensics and Incident Response P O S T E R FALL 2012 – 22n d EDITION http://computer-forensics.sans.org Website: http://computer-forensics.sans.org Blogs: http://computer-forensics.sans.org/blog SIFT Workstation: http://computer-forensics.sans.org/ community/downloads Twitter: www.twitter.com/sansforensics REMNUX http://zeltser.com/remnux Additional Forensics Course FOR558 Network Forensics FOR563 Mobile Device Forensics FOR508 Advanced Computer Forensic Analysis Incident Response GCFA FOR408 Computer Forensic Investigations – Windows In-Depth GCFE FOR610 REM: Malware Analysis Tools Techniques GREM FOR526 Windows Memory Forensics In-Depth SANS Digital Forensics and Incident Response C urriculum

Recommended

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
Florian Roth
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 

Recommended

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
IIJ
 
Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314Security Analyst Workshop - 20190314
Security Analyst Workshop - 20190314
Florian Roth
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
Farouk2nd
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
Darren Pauli
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 

More Related Content

What's hot

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
Chris Gates
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
Will Schroeder
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
Darren Pauli
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
Symantec Security Response
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 

What's hot (20)

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniques
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 

Similar to SANS Digital Forensics and Incident Response Poster 2012

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
DR FAT
DR FATDR FAT
DR FAT
John Laycock
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
Cal Bryant
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaCTIN
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploitdevilback
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
securityxploded
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
Anthony Hasse
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
isc2-hellenic
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
Alexander Kot
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detectionUltraUploader
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
MAHESHUMANATHGOPALAK
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
BeratAkit
 

Similar to SANS Digital Forensics and Incident Response Poster 2012 (20)

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
DR FAT
DR FATDR FAT
DR FAT
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Ch11
Ch11Ch11
Ch11
 
Finalppt metasploit
Finalppt metasploitFinalppt metasploit
Finalppt metasploit
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf
 
SOC-BlueTEam.pdf
SOC-BlueTEam.pdfSOC-BlueTEam.pdf
SOC-BlueTEam.pdf
 

Recently uploaded

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 

Recently uploaded (20)

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 

SANS Digital Forensics and Incident Response Poster 2012

  • 1. STEP 1: Prep Evidence/Data Reduction • Carve and Reduce Evidence - Gather Hash List from similar system (NSRL, md5deep) - Carve/Extract all .exe and .dll files from unallocated space • foremost • sorter (exe directory) • bulk_extractor • Prep Evidence - Mount evidence image in Read-Only Mode - Locate memory image you collected - Optional: Convert hiberfil.sys (if it exists to raw memory image) using volatility STEP 2: Anti-Virus Checks Run the mounted drive through an Anti Virus Scanner with the latest updates. Anti-virus scanners employ hundreds of thousands of signatures that can quickly identify well-known malware on a system. First, download the latest anti-virus signatures and mount your evidence for analysis. Use a“deep”scan when available and consider scanning your mounted drive with multiple anti-virus engines to take advantage of their scanning and signature differences. Get in the habit of scanning files exported from your images such as deleted files, data carving results, Sorter output, and email attachments. While anti-virus will not be effective on 0-day or unknown malware, it will easily find the low hanging fruit. STEP 3: Indicators of Compromise Search Using indicators of compromise (IOCs) is a very powerful technique to identify malware components on a compromised host. IOCs are implemented as a combi- nation of boolean expressions that identify specific characteristics of malware. If these characteristics are found, then you may have a hit. An IOC should be gener- al enough to find modified versions of the same malware, but specific enough to limit false positives. There are two types of indicators: Host based (shown above), and Network based (similar to snort signatures plus additional data). The best IOCs are usually created by reversing malware and application behavioral analysis. What Works? OpenIOC Framework - openioc.org IOC Editor IOC Finder YARA Project STEP 4: Automated Memory Analysis • Behavior Ruleset - Code injection detection - Process Image Path Verification • svchost outside system32 = Bad - Process User Verification (SIDs) • dllhost running as admin = Bad - Process Handle Inspection • iexplore.exe opening cmd.exe = Bad • )!voqa.i4 = known Poison Ivy mutant • Verify Digital Signatures - Only available during live analysis - Executable, DLL, and driver sig checks - Not signed? • Is it found in 75% of all processes? What Works? MANDIANT Redline www.mandiant.com/products/free_software/redline Volatility Malfind: http://code.google.com/p/volatility STEP 5: Evidence of Persistence Malware wants to hide, but it also wants to survive a reboot. Malware persistence is extremely common and is an excellent way to find hidden malware. Persistence comes in many forms. The simplest mechanism is via scheduled tasks and the“at” command. Other popular persistence mechanisms include Windows Services and auto-start locations. An adversary can run their malware as a new service or even replace an existing service. There are numerous Windows Registry mechanisms to auto-start an executable at boot or login. Using a tool called autorunsc.exe will eas- ily parse the autostart locations across scheduled tasks, services, and registry keys. While these are the most common, keep in mind there are more advanced tech- niques. For example the Mebromi malware even flashes the BIOS to persist. Attacks of this nature are rare because even the simplest of techniques are effective, allowing attackers to maintain persistence for long periods of time without being discovered. What Works? Autorunsc.exe from Microsoft sysinternals http://technet.microsoft.com/en-us/sysinternals/bb963902 STEP 6: Packing/Entropy Check • Scan the file system or common locations for possible malware - Indication of packing - Entropy test - Compiler and packing signatures identification - Digital signature or signed driver checks What Works? MANDIANT Red-Curtain http://www.mandiant.com/resources/download/red-curtain DensityScout http://cert.at/downloads/software/densityscout_en.html Sigcheck - http://technet.microsoft.com/en-us/sysinternals/bb897441 STEP 7: Review Event Logs What Works? logparser - http://www.microsoft.com/download/en/details.aspx?id=24659 Event Log Explorer - http://eventlogxp.com Log Parser Lizard - http://www.lizard-labs.net STEP 8: Super Timeline Examination Once you are down to about 10-20 candidates, it is a good time to identify where those files show up in your timeline. The additional context of seeing other files in close temporal proximity to your candidates allows you to identify false positives and focus on those files most likely to be malicious. In the above example, we see the creation of the file winsvchost.exe in the C:Windows System32 directory. If this were one of your candidate files, you would clearly see artifacts that indicate a spearphishing attack surrounding that file’s creation time. Notably, an .XLS file was opened via email, winsvchost.exe was executed, an auto-start persistence mechanism was created and finally, a network socket was opened. All within one second! Contextual clues in temporal proximity to the files you are examining are quite useful in your overall case. What Works? log2timeline found in SIFT Workstation http://computer-forensics.sans.org/community/downloads STEP 9: By-Hand Memory Analysis Memory analysis is one of the most powerful tools for finding malware. Malware has to run to be effective, creating a footprint that can often be easily discovered via memory forensics. A standard analysis can be broken down into six major steps. Some of these steps might be conducted during incident response, but using a memory image gives deeper insight and overcomes any rootkit techniques that malware uses to protect itself. Memory analysis tools are operating system specific. Since each tool gathers and displays information differently, use multiple tools to check your results. What Works? Volatility http://code.google.com/p/volatility Mandiant Redline www.mandiant.com/products/free_software/redline STEP 10: By-Hand 3rd Party Hash Lookups Hash lookups to eliminate known good files and identify known bad files is a useful technique when narrowing down potential malware. Bit9 FileAdvisor is a free search engine for querying Bit9’s application whitelisting database. It is available via online lookup, as well as via a downloadable utility (http://fileadvisor.bit9.com/services/wu/latest/FileAdvisor.msi). The National Software Reference Library also provides a robust set of known good hashes for use. VirusTotal will scan a file through over 40 different A/V scanners to determine if any of the current signatures detect the malware. VirusTotal also allows its database to be searched via MD5 hashes, returning prior analyses for candidate files with the same MD5. What Works? VirusTotal www.virustotal.com and bit9 http://fileadvisor.bit9.com NSRL Query http://nsrlquery.sourceforge.net STEP 11: MFT Anomalies A typical file system has hundreds of thousands of files. Each file has its own MFT Record Number. Because of the way operating systems are installed, it’s normal to see files under entire directory structures written to disk with largely sequential MFT Record Number values. For example, above is a partial directory listing from a Windows NTFS partition’s %system32% directory, sorted by date. Note that the MFT Record Number values are largely sequential and with some exceptions, tend to align with the file creation times. As file systems are used over the years and new patches are applied causing files to be backed up and replaced, the ordering of these files by MFT Record Number numbers can break down. Surprisingly, this ordering remains intact enough on many systems, even after years of use, that we can use it to spot files of interest. This will not happen every time as MFT entries are recycled fairly quickly, but in many cases an outlier can be identified. STEP 12: File-Time Anomalies • Timestamp Anomalies - $SI Time is before $FN Time - Nanoseconds values are all zeroes One of the ways to tell if file time backdating occurred on a windows machine is to examine the NTFS $Filename times compared to the times stored in $Standard Information. Tools such as timestomp allow a hacker to backdate a file to an arbitrary time of their choosing. Generally, hackers do this only to programs they are trying to hide in the system32 or similar system directories. Those directories and files would be a great place to start. Look to see if the $Filename (FN) creation time occurs after the $Standard Info creation time as this often indicates an anomaly. What Works? analyzeMFT.py found on SIFT Workstation and www.integriography.com log2timeline found on SIFT Workstation STEP 13: You Have Malware! Now What? • Hand it to Malware Analyst - FOR610 – RE Malware - Hand over sample, relevant configuration files, memory snapshot • Typical Output from Malware Analyst - Host-based indicators - Network-based indicators - Report on malware capabilities and purpose • You can now find additional systems compromised by the malware you found Finding Unknown Malware – Step-By-Step Finding unknown malware is an intimidating process to many, but can be simplified by following some simple steps to help narrow your search. This is not an easy process, but using the techniques in this chart you will learn how to narrow the 80,000 files on a typical machine down to the 1-4 files that is possible malware. This process of Malware Funneling is key to your quick and efficient analysis of compromised hosts and will involve most of the skills you have built up across both FOR408 Windows Forensics and FOR508 Advanced Forensics and Incident Response Windows Time Rules $ S T D I N F O $ F I L E N A M E Modified – No Change Access – No Change Creation – No Change Metadata – Changed Modified – No Change Access – No Change Creation – No Change Metadata – Changed Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – No Change Access – No Change Creation – No Change Metadata – No Change Modified – Change Access – No Change Creation – No Change Metadata – Changed Modified – Change Access – No Change Creation – No Change Metadata – Changed Modified – No Change Access – Change NoChangeon Vista/Win7 Creation – No Change Metadata – Changed Modified – No Change Access – Change Creation – No Change Metadata – Changed Modified – No Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed Modified – Change Access – Change Creation – Change Metadata – Changed File Rename Local File Move Volume File Move File Copy File Access File Modify File Creation File Deletion File Rename Local File Move Volume File Move File Copy File Access File Modify File Creation File Deletion Digital Forensics and Incident Response P O S T E R FALL 2012 – 22n d EDITION http://computer-forensics.sans.org Website: http://computer-forensics.sans.org Blogs: http://computer-forensics.sans.org/blog SIFT Workstation: http://computer-forensics.sans.org/ community/downloads Twitter: www.twitter.com/sansforensics REMNUX http://zeltser.com/remnux Additional Forensics Course FOR558 Network Forensics FOR563 Mobile Device Forensics FOR508 Advanced Computer Forensic Analysis Incident Response GCFA FOR408 Computer Forensic Investigations – Windows In-Depth GCFE FOR610 REM: Malware Analysis Tools Techniques GREM FOR526 Windows Memory Forensics In-Depth SANS Digital Forensics and Incident Response C urriculum