SlideShare a Scribd company logo

What the Heck Just Happened?

Ken Evans
Ken Evans

An Introduction to Digital Forensics for Incident Response. Practical, educational steps you can take on your own home system.

1 of 56
Download to read offline
What the Heck Just Happened? An Introduction to Digital Forensics for Incident Response Ken Evans Information Security Incident Response Lead Henry Ford Health Systems CISSP, GSEC, GCFA, GCFE Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf
What We’re Covering • Introduction to Digital Forensics • Basic memory analysis of a host with Mandiant Redline • Intermediate file system analysis of a host with Log2timeline
We Are NOT Covering… • Proper evidence handling procedures • Detailed information about forensic artifacts • About 165 tools in the SANS SIFT workstation • The best way to scale this for a business
To Get the Most Value From This Presentation • Don’t try to memorize the steps • Keep a high level view and go for the concepts • See if this looks useful or fun • Follow-up by getting the presentation and accessing the links at the end
The Scenario • You’re at work browsing when suddenly a popup window appears and then goes away immediately. • You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing. • Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine. • A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices. BUT…
Classical Incident Response Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned
Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned Incident Response with Full Intrusion Analysis Intrusion Analysis Memory Forensics Timeline Analysis File System Analysis Data Recovery
Our Approach Memory is VERY volatile, we need to capture it as soon as possible. We’ll use Mandiant Redline for this. Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make it harder to find the entries we want. We’ll take a disk image and create a Super Timeline for this.
Some Assembly Required 1. Examiner system (64-bit, 4 GB RAM for VMware support) 2. Installation of Mandiant Redline on the Examiner system 3. External storage, larger than memory 4. External storage, larger than the source hard drive 5. Ubuntu Desktop 14 install disc on DVD or bootable USB 6. Installation of VMware Player on Examiner system 7. Installation of SANS SIFT Workstation 3 on Examiner system 8. MS Excel or other spreadsheet program (macro compatible) For Memory Analysis: For Disk Image Analysis:
Mandiant Redline Overview Malware can sometimes hide in transit or on disk, but eventually… IT MUST EXECUTE And to do that it needs to use… MEMORY! Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.
Creating a Redline Collector Create a “Standard Collector” from Redline on your Examiner system.
Collector Option - Acquire Memory Image Make sure to Acquire Memory Image. Save the Collector to USB device.
Running the Redline Collector on the Subject Run Redline from the USB device with a command line session with elevated privileges.
Collector Can Take a While Depends mostly on: • Machine speed • RAM size • Disk speed
Time for the Subject Disk Image We need to capture a disk image without changing or corrupting the contents. One simple way to do this is to use Linux to read the disk. Professionals would use a write blocker or do a live capture here, but those are more complicated or need special equipment or software.
Boot Ubuntu Live CD on Subject System
Launch a Terminal Session
Escalate to Super User
Note the Source Drive with lsblk Source 30 GB drive device is /dev/sda2 Mounted external media is /media/ubuntu/FreeAgent Drive Note: In Linux, everything is a file.
Use the dd Command to Make a Disk Image File dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file
Image Can Take a While Depends mostly on: • Machine speed • Disk size • Disk speed
Analyze the Memory • Shutdown Ubuntu / Subject system • Hook the USB drive up to your Examiner system • Run Mandiant Redline
Open Collected Redline Data Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
Browse to your Collector Data Browse to the Collector data on the USB device.
Select the Time Stamped Audit Folder Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.
Browse to your Collector Data We don’t need the Advanced or Indicators of Compromise options. Click Next.
Hurry Up and Wait No time for movies, though!
Select the Full Live Response Option
Review the Processes
Closer Examination of svchost.exe
MRI Report for svchost.exe - 1
MRI Report for svchost.exe - 2
Analyze the Disk Image • Hook the USB drive up to your Examiner system • Launch Vmware Player • Launch SIFT Workstation • Make sure USB drive is readable (mounted) in the SIFT Workstation
Super Timeline Process Overview • Unbuntu desktop live CD boot, dd command 1. Acquire Image • Launch SIFT workstation, mount command 2. Mount image for processing • log2timeline command 3. Create comprehensive timeline • l2t_process command 4. Filter the timeline • Colorize, sort, and analyze 5. Apply colorization macro
SIFT Workstation 3.0
Escalate your Privileges to Super User
Mount the .dd Image mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams
Optional: Verify the Mount
Execute the log2timeline Command log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).
How to List the Format Options
How to List the Time Zones The “-z list” feature will let you see the complete list of time zones and the strings to use.
log2timeline Sample Run
Timeline Might Take a While Depends mostly on: • Machine speed • Disk speed • Age of machine / size of logs
Let’s Trim it Down The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.
l2t_process Command l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
l2t_process Command
l2t_process Command
Output of l2t_process This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.
Color Timeline Blog Entry 1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline- template-for-log2timeline-output-files
What Does the Color Template Do? The color template will apply the following colors to rows in the timeline file.
Look What We Found!
Log2timeline Command Format
Summary • We used Mandiant Redline to do a quick memory analysis to find out if we had a problem • svchost.exe was called out by Redline • We followed it up with a more detailed file system analysis • We found a svchost.exe call in the middle of several other events of note
Resources - 1 SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident- response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super- timeline-template-for-log2timeline-output-files
Resources - 2 Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis- tool-for-threat-assessments Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf

Recommended

Cs8493 unit 5
Cs8493 unit 5Cs8493 unit 5
Cs8493 unit 5
Kathirvel Ayyaswamy
 
Red Hat Training
Red Hat TrainingRed Hat Training
Red Hat TrainingOpen Source Group
 
Daemons
DaemonsDaemons
Daemons
christina555
 
fall2013
fall2013fall2013
fall2013Will Dixon
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Lesson 5 - Managing Devices
Lesson 5 - Managing DevicesLesson 5 - Managing Devices
Lesson 5 - Managing DevicesGene Carboni
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
DTraceCloud2012
DTraceCloud2012DTraceCloud2012
DTraceCloud2012
Brendan Gregg
 

Recommended

Cs8493 unit 5
Cs8493 unit 5Cs8493 unit 5
Cs8493 unit 5
Kathirvel Ayyaswamy
 
Red Hat Training
Red Hat TrainingRed Hat Training
Red Hat TrainingOpen Source Group
 
Daemons
DaemonsDaemons
Daemons
christina555
 
fall2013
fall2013fall2013
fall2013Will Dixon
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Lesson 5 - Managing Devices
Lesson 5 - Managing DevicesLesson 5 - Managing Devices
Lesson 5 - Managing DevicesGene Carboni
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
DTraceCloud2012
DTraceCloud2012DTraceCloud2012
DTraceCloud2012
Brendan Gregg
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
CS9222 Advanced Operating System
CS9222 Advanced Operating SystemCS9222 Advanced Operating System
CS9222 Advanced Operating System
Kathirvel Ayyaswamy
 
Process Management in Android
Process Management in AndroidProcess Management in Android
Process Management in Android
Shrey Verma
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
National Cheng Kung University
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System callsZubair Nabi
 
Operating System 3
Operating System 3Operating System 3
Operating System 3tech2click
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Unix memory management
Unix memory managementUnix memory management
Unix memory managementTech_MX
 
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry PiEmbedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Ahmed El-Arabawy
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
Alison Chaiken
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
YourHelper1
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Ch04
Ch04Ch04
Ch04Raja Waseem Akhtar
 
Readme
ReadmeReadme
ReadmeJoao MEndes
 
Chapter 3: Processes
Chapter 3: ProcessesChapter 3: Processes
Chapter 3: Processes
Shafaan Khaliq Bhatti
 
Unit 4
Unit 4Unit 4
Unit 4
pm_ghate
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
File000127
File000127File000127
File000127Desmond Devendran
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
MongoDB
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
Ishan A B Ambanwela
 

More Related Content

What's hot

Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
CS9222 Advanced Operating System
CS9222 Advanced Operating SystemCS9222 Advanced Operating System
CS9222 Advanced Operating System
Kathirvel Ayyaswamy
 
Process Management in Android
Process Management in AndroidProcess Management in Android
Process Management in Android
Shrey Verma
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
National Cheng Kung University
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System callsZubair Nabi
 
Operating System 3
Operating System 3Operating System 3
Operating System 3tech2click
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Unix memory management
Unix memory managementUnix memory management
Unix memory managementTech_MX
 
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry PiEmbedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Ahmed El-Arabawy
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
Alison Chaiken
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
YourHelper1
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Chapter 3: Processes
Chapter 3: ProcessesChapter 3: Processes
Chapter 3: Processes
Shafaan Khaliq Bhatti
 
Unit 4
Unit 4Unit 4
Unit 4
pm_ghate
 

What's hot (18)

Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
CS9222 Advanced Operating System
CS9222 Advanced Operating SystemCS9222 Advanced Operating System
CS9222 Advanced Operating System
 
Process Management in Android
Process Management in AndroidProcess Management in Android
Process Management in Android
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
 
Operating System 3
Operating System 3Operating System 3
Operating System 3
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Unix memory management
Unix memory managementUnix memory management
Unix memory management
 
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry PiEmbedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
 
Ch04
Ch04Ch04
Ch04
 
Readme
ReadmeReadme
Readme
 
Chapter 3: Processes
Chapter 3: ProcessesChapter 3: Processes
Chapter 3: Processes
 
Unit 4
Unit 4Unit 4
Unit 4
 

Similar to What the Heck Just Happened?

Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharingJames Hsieh
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
MongoDB
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
Ishan A B Ambanwela
 
Operating Systems: Revision
Operating Systems: RevisionOperating Systems: Revision
Operating Systems: Revision
Damian T. Gordon
 
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customizationHiren Mayani
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
Matthew Johnson
 
AdminCamp 2018 - IBM Notes V10 Performance Boost
AdminCamp 2018 - IBM Notes V10 Performance BoostAdminCamp 2018 - IBM Notes V10 Performance Boost
AdminCamp 2018 - IBM Notes V10 Performance Boost
Christoph Adler
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
HelpSystems
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
Neotys
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
Kblblkb
 
Technical track-afterimaging Progress Database
Technical track-afterimaging Progress DatabaseTechnical track-afterimaging Progress Database
Technical track-afterimaging Progress Database
Vinh Nguyen
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONCOLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
EyesOpen Association
 
ICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance BoostICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance Boost
Christoph Adler
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
Jeff Beley
 
OS_lab_file.pdf
OS_lab_file.pdfOS_lab_file.pdf
OS_lab_file.pdf
KarthickS942388
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff Stokes
Jeff Stokes
 
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
Víctor Capetillo
 

Similar to What the Heck Just Happened? (20)

Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
 
File000127
File000127File000127
File000127
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Operating Systems: Revision
Operating Systems: RevisionOperating Systems: Revision
Operating Systems: Revision
 
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customization
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
AdminCamp 2018 - IBM Notes V10 Performance Boost
AdminCamp 2018 - IBM Notes V10 Performance BoostAdminCamp 2018 - IBM Notes V10 Performance Boost
AdminCamp 2018 - IBM Notes V10 Performance Boost
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
 
Technical track-afterimaging Progress Database
Technical track-afterimaging Progress DatabaseTechnical track-afterimaging Progress Database
Technical track-afterimaging Progress Database
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONCOLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
 
ICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance BoostICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance Boost
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
OS_lab_file.pdf
OS_lab_file.pdfOS_lab_file.pdf
OS_lab_file.pdf
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff Stokes
 
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
 

Recently uploaded

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 

Recently uploaded (20)

SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 

What the Heck Just Happened?

  • 1. What the Heck Just Happened? An Introduction to Digital Forensics for Incident Response Ken Evans Information Security Incident Response Lead Henry Ford Health Systems CISSP, GSEC, GCFA, GCFE Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf
  • 2. What We’re Covering • Introduction to Digital Forensics • Basic memory analysis of a host with Mandiant Redline • Intermediate file system analysis of a host with Log2timeline
  • 3. We Are NOT Covering… • Proper evidence handling procedures • Detailed information about forensic artifacts • About 165 tools in the SANS SIFT workstation • The best way to scale this for a business
  • 4. To Get the Most Value From This Presentation • Don’t try to memorize the steps • Keep a high level view and go for the concepts • See if this looks useful or fun • Follow-up by getting the presentation and accessing the links at the end
  • 5. The Scenario • You’re at work browsing when suddenly a popup window appears and then goes away immediately. • You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing. • Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine. • A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices. BUT…
  • 6. Classical Incident Response Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned
  • 7. Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned Incident Response with Full Intrusion Analysis Intrusion Analysis Memory Forensics Timeline Analysis File System Analysis Data Recovery
  • 8. Our Approach Memory is VERY volatile, we need to capture it as soon as possible. We’ll use Mandiant Redline for this. Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make it harder to find the entries we want. We’ll take a disk image and create a Super Timeline for this.
  • 9. Some Assembly Required 1. Examiner system (64-bit, 4 GB RAM for VMware support) 2. Installation of Mandiant Redline on the Examiner system 3. External storage, larger than memory 4. External storage, larger than the source hard drive 5. Ubuntu Desktop 14 install disc on DVD or bootable USB 6. Installation of VMware Player on Examiner system 7. Installation of SANS SIFT Workstation 3 on Examiner system 8. MS Excel or other spreadsheet program (macro compatible) For Memory Analysis: For Disk Image Analysis:
  • 10. Mandiant Redline Overview Malware can sometimes hide in transit or on disk, but eventually… IT MUST EXECUTE And to do that it needs to use… MEMORY! Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.
  • 11. Creating a Redline Collector Create a “Standard Collector” from Redline on your Examiner system.
  • 12. Collector Option - Acquire Memory Image Make sure to Acquire Memory Image. Save the Collector to USB device.
  • 13. Running the Redline Collector on the Subject Run Redline from the USB device with a command line session with elevated privileges.
  • 14. Collector Can Take a While Depends mostly on: • Machine speed • RAM size • Disk speed
  • 15. Time for the Subject Disk Image We need to capture a disk image without changing or corrupting the contents. One simple way to do this is to use Linux to read the disk. Professionals would use a write blocker or do a live capture here, but those are more complicated or need special equipment or software.
  • 16. Boot Ubuntu Live CD on Subject System
  • 17. Launch a Terminal Session
  • 19. Note the Source Drive with lsblk Source 30 GB drive device is /dev/sda2 Mounted external media is /media/ubuntu/FreeAgent Drive Note: In Linux, everything is a file.
  • 20. Use the dd Command to Make a Disk Image File dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file
  • 21. Image Can Take a While Depends mostly on: • Machine speed • Disk size • Disk speed
  • 22. Analyze the Memory • Shutdown Ubuntu / Subject system • Hook the USB drive up to your Examiner system • Run Mandiant Redline
  • 23. Open Collected Redline Data Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
  • 24. Browse to your Collector Data Browse to the Collector data on the USB device.
  • 25. Select the Time Stamped Audit Folder Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.
  • 26. Browse to your Collector Data We don’t need the Advanced or Indicators of Compromise options. Click Next.
  • 27. Hurry Up and Wait No time for movies, though!
  • 28. Select the Full Live Response Option
  • 30. Closer Examination of svchost.exe
  • 31. MRI Report for svchost.exe - 1
  • 32. MRI Report for svchost.exe - 2
  • 33. Analyze the Disk Image • Hook the USB drive up to your Examiner system • Launch Vmware Player • Launch SIFT Workstation • Make sure USB drive is readable (mounted) in the SIFT Workstation
  • 34. Super Timeline Process Overview • Unbuntu desktop live CD boot, dd command 1. Acquire Image • Launch SIFT workstation, mount command 2. Mount image for processing • log2timeline command 3. Create comprehensive timeline • l2t_process command 4. Filter the timeline • Colorize, sort, and analyze 5. Apply colorization macro
  • 35.
  • 37. Escalate your Privileges to Super User
  • 38. Mount the .dd Image mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams
  • 40. Execute the log2timeline Command log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).
  • 41. How to List the Format Options
  • 42. How to List the Time Zones The “-z list” feature will let you see the complete list of time zones and the strings to use.
  • 44. Timeline Might Take a While Depends mostly on: • Machine speed • Disk speed • Age of machine / size of logs
  • 45. Let’s Trim it Down The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.
  • 46. l2t_process Command l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
  • 49. Output of l2t_process This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.
  • 50. Color Timeline Blog Entry 1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline- template-for-log2timeline-output-files
  • 51. What Does the Color Template Do? The color template will apply the following colors to rows in the timeline file.
  • 52. Look What We Found!
  • 54. Summary • We used Mandiant Redline to do a quick memory analysis to find out if we had a problem • svchost.exe was called out by Redline • We followed it up with a more detailed file system analysis • We found a svchost.exe call in the middle of several other events of note
  • 55. Resources - 1 SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident- response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super- timeline-template-for-log2timeline-output-files
  • 56. Resources - 2 Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis- tool-for-threat-assessments Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf