Presentation on theme: "Jonathan Glass email@example.com Creating a Toolkit for Live Incident Response Data Acquisition and Tips for Better Timeline Analysis Jonathan Glass firstname.lastname@example.org."— Presentation transcript:
1Jonathan Glass email@example.com Creating a Toolkit for Live Incident Response Data Acquisition and Tips for Better Timeline AnalysisJonathan Glass
2Bio Originally from Roanoke, VA. Awesome Wife and Two Kids Hopeless tinkerer, maker, and security professional.MCSA,MCSE,S+,CEH,CNDA,CISSP,GCIH,GAWN
3DisclaimerThe Live Response Script presented here was prepared for this presentation to frame the discussion. Feel free to use it. While it is functional on this demo vm, I make no guarantees that it will work every time in every environment. Use at your own risk.
4DisclaimerI do not claim to be an expert. This presentation is meant to be a discussion of possible techniques. If you know a better way to do something, shout it out. I would love to hear it.
5Objectives Motivation How Live Response Data Collection Works Drop script and tools on targetRun tools in correct order to collect artifactsSecurely send back to analysts.General Guidelines for Live ResponseAn Overview of Artifacts to CollectWhat to GrabHow to Grab ItWhat to Do with ItForensic TimelinesHow to createTips on Faster/Better Analysis and Summarization
6MotivationBuilding your own script is a great way to understand forensic artifacts/tools.Adds context and verification of COTS toolsGives analyst the ability to compare memory artifacts vs. live output vs. artifacts from the physical driveMalware/rootkits may attempt to mask processes and falsify output of commands. Hard to falsify numerous sources of redunant infoEverything means something
7Live Response vs. Memory Analysis Memory Analysis is ideal for understanding the current state of the machine but…Full Memory Dumps are HugeNot uncommon to see 8GB or 16GB of RAM in a workstation. Takes time to dump, compress, and encrypt memory dumps to be sent over a network.Solid State Drives are becoming the standard, even though they have far less capacity than HDDs. There might not be enough free space on the workstation to dump memory.
8General Guidance for Live Response Scripts Communication should be encrypted to and from target machine.Tread Lightly – The smaller footprint you create on a remote machine, the less likely you are going to cause a business interruption.Keep LR Packages small with only the tools you need.Be concise. Do not generate any more files than what is absolutely necessary.Get In, Grab Stuff, and Get Out – Avoid processing artifacts on the target machine.Don’t connect to a Target machine directly from your workstation.
9General Guidance for Live Response Scripts Protect Privileged Domain Accounts during Live ResponseDon’t use any kind of “Interactive Logon”Interactive Logons store password hashes as cached credentials and in memory while you are logged on.This includes “Run As” from the command line.Use Temporary Admin CredentialsReset account passwords after acquisition or everyday.Limit the exposure of a compromised LR Account.
10General Guidance for Live Response Scripts Batch Programming, Visual Basic Scripting, and PowerShell are great native options to create Live Response ScriptsStick to native solutions unless you are going to compile your Python, Ruby, Perl or whatever into a executable…every time you make a change.Windows has a ton of built-in utilities for pulling a lot of forensically relevant information. Leverage those.
11Live Response Data Collection AnalystTarget& tells “Target” to Pull LR package2. Creates Secure Channel5. Runs Script3. Pulls latest LR package1. Investigate “Target”4. Sends latest LR package7. Analyst reviews info on Server6. Target pushes LR Data back to ServerForensic Server
12PsExec v2.1PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. New with Ver 2.1 – March 7, 2014enables you to execute programs on remote systems without preinstalling an agentencrypts *all* communication between local and remote systems.including the transmission of command information such as the user name and password under which the remote program executes.
137zip7-Zip is a open source file archiver with a high compression ratio. GUI and command line options. GNU LGPL license.7za.exe is the command line versionCan use AES256 GPG EncryptionHigh Compression is great for memory dumps and other large files.
14PsExec v2.1 + 7zip = Encrypted Communication Great way to transfer a collection package to a machine, run apps with as System, and collect data back to the analyst through a “secure” channel.
15How this Example Script Works LiveResponse.batCollectionScript.bat7za.exeTargetMachine.zipTargetMachineProcesses Collected Data
16An Overview of Artifacts to Collect What/Why To CollectHow To Collect ItWhat To Do With It
17Artifacts to Collect Artifact to Grab Significance Location on Target Tools to Grab and/or ParseBatch File Example
18Protected or Locked Files SignificanceThe majority of the files needed for analysis are locked, open, or protected.LocationEverywhereMethod To Grab /ParseVSSShadowcopy*HoboCopyLow Level Disk Reading*RawCopyhttps://code.google.com/p/mft2csv/NTFSCopyhttps://www.tzworks.net/prototype_page.php?proto_id=9FGET – HBGARY(old)
19RawCopy Compiled AutoIt Script Console application that copy files off NTFS volumes by using low level disk reading method.Will let you copy files that usually are not accessible because the system has locked them. For instance the registry hives like SYSTEM and SAM. Or files inside the "SYSTEM VOLUME INFORMATION". Or any file on the volume.Works best with the MFT record number.
20Protected or Locked Files Example: FOR /F "tokens=*" %%G IN ('dir /b /a C:\Users\') DO ( IF EXIST "C:\Users\%%G\NTUSER.DAT" ( MD C:\windows\temp\lrscript\collecteddata\Registry\%%G\ C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe "C:\Users\%%G\NTUSER.DAT" "C:\windows\temp\lrscript\collecteddata\Registry\%%G\“))
21Physical Memory Significance Location on Target Running processes and services, open network connections, ARP cache, web history, running malware/Trojans, unpacked/decrypted versions of protected programs, system information (e.g. time lapsed since last reboot) ,information about logged in users, decryption keys for encrypted volumes mounted at the time of the capture, and much more.Location on Target\\.\PhysicalMemoryMethod to Grab and ParseGrabWinDDDumpit*DD for WindowsMemoryzehttps://www.mandiant.com/resources/download/memoryzeParse*Volatility - https://code.google.com/p/volatility/Redline - https://www.mandiant.com/resources/download/redline
22Physical MemoryREM **************BEGIN MEMORY DUMP************* echo Checking if there is enough free disk space to dump Memory FOR /F "tokens=*" %%G IN ('cscript /nologo C:\windows\temp\lrscript\lrtools\MemCheck.vbs') DO ( SET MEMGO=%%G IF %MEMGO:~0,4% == GOOD ( echo Dumping Memory start /wait cmd /c "C:\Windows\Temp\lrscript\LRTools\MemoryDD.bat -output=C:\Windows\Temp\lrscript\CollectedData") ELSE (echo "NOT ENOUGH FREESPACE FOR MEMORY Dump")) REM Wait 30 seconds to give time for the memory dump to complete PING -n >nul REM **************END MEMORY DUMP*************
23Running Processes Significance Locations on Target Critical to almost all investigationsTrivial to determine while onlineVery hard to piece together offlineLocations on TargetMemory, Physical Disk, Removable MediaMethod to Grab and/or ParseListWMIC.exe Process List Full*Volatility - pslist,pstree,psscan,dlllist,handlesGrabProcDump*Volatility – procexedumpProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
24Running Processeswmic process list full > C:\windows\temp\lrscript\collecteddata\processes\ProcessList.txtC:\windows\temp\lrscript\lrtools\pslist.exe -t > C:\windows\temp\lrscript\collecteddata\processes\ProcessTree.txtC:\windows\temp\lrscript\lrtools\handle.exe -asu > C:\windows\temp\lrscript\collecteddata\processes\Handles.txtProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.
25$MFT Master File Table Significance Location on Target The single most important file in a NTFS file system.Contains record of the logical/physical size/location for all files on a NTFS volume.Contains metadata including: Created Date, Entry Modified Date, Accessed Date and Last Written Date.Contains security permissions for each file.Location on TargetLogical: ROOT:\$MFTPhysical: Location found the MBR(first 512 bytes of on Volume)Method to Grab and ParseNeed to be running with system level privs to gain direct access to $MFTUse *RunAsSystem https://code.google.com/p/mft2csv/orPsExecGrab:*RawCopy https://code.google.com/p/mft2csv/*MFTDumper.py - https://github.com/Kvetch/Kludge-Collector/blob/master/collector/mftfinder.pyParse:*AnalyzeMFThttps://github.com/dkovar/analyzeMFT*ntfswalkhttps://code.google.com/p/mft2csv/
26$MFT Master File TableREM **************BEGIN MFT DUMP************* echo Running fls-live.exe to grab MFT data from all NTFS drives connected to the system. FOR /F "tokens=*" %%A IN ('cscript /nologo C:\windows\temp\lrscript\lrtools\ListOfLocalDrives.vbs') DO ( SET "BAM=%%A" start /wait cmd /c "C:\windows\temp\lrscript\lrtools\fls-live.exe %%A\ >> C:\Windows\Temp\lrscript\collecteddata\TimelineFiles\fls-bodyfile.txt" mkdir C:\Windows\Temp\lrscript\collecteddata\MFT\%BAM:~0,1%\ start /wait cmd /c "C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe %BAM:~0,1%:0 C:\Windows\Temp\lrscript\collecteddata\MFT\%BAM:~0,1%\ ) REM **************END MFT DUMP*************
27Registry Significance: Location on Target Method to Grab and Parse Hierarchical “database” that contains system configuration information, and tracks a great deal of system and user activity. Much of that activity has some form of time stamp associated with it.Location on TargetSystemC:\Windows\system32\configC:\Windows\system32\config\RegBackUserC:\Users\user\NTUSER.DATC:\Users\user\AppData\Local\Microsoft\Windows\USRCLASS.DATMethod to Grab and ParseGrablocked file utilitiesParseRegRipperVolatilityhivescan,hivelist,printkey,hivedump,hashdump,lsadump,userassistPythonhttps://github.com/williballenthin/python-registry
28Registry Significance: Location on Target Method to Grab and Parse Hierarchical “database” that contains system configuration information, and tracks a great deal of system and user activity. Much of that activity has some form of time stamp associated with it.Location on TargetSystemC:\Windows\system32\configC:\Windows\system32\config\RegBackUserC:\Users\user\NTUSER.DATC:\Users\user\AppData\Local\Microsoft\Windows\USRCLASS.DATMethod to Grab and ParseGrabLocked file utilitiesExport using RegParseRegRipperVolatilityhivescan,hivelist,printkey,hivedump,hashdump,lsadump,userassistPythonhttps://github.com/williballenthin/python-registry
29Registry FOR /F "tokens=*" %%G IN ('dir /b /a C:\Users\') DO ( IF EXIST "C:\Users\%%G\NTUSER.DAT" (MD C:\windows\temp\lrscript\collecteddata\Registry\%%G\ C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe "C:\Users\%%G\NTUSER.DAT" "C:\windows\temp\lrscript\collecteddata\Registry\%%G\"))for %%i in (SAM SECURITY SOFTWARE SYSTEM DEFAULT COMPONENTS BCD-TEMPLATE) do (C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe C:\WINDOWS\system32\config\%%i C:\windows\temp\lrscript\collecteddata\Registry\)c:\windows\system32\reg.exe export HKLM C:\windows\temp\lrscript\collecteddata\Registry\hklm.regc:\windows\system32\reg.exe export HKCU C:\windows\temp\lrscript\collecteddata\Registry\hkcu.regc:\windows\system32\reg.exe export HKCR C:\windows\temp\lrscript\collecteddata\Registry\hkcr.regc:\windows\system32\reg.exe export HKU C:\windows\temp\lrscript\collecteddata\Registry\hku.regc:\windows\system32\reg.exe export HKCC C:\windows\temp\lrscript\collecteddata\Registry\hkcc.reg
30Index.dat Significance Location on Target The cache INDEX.DAT file is a database of cache entries. It holds information relating to individual cached items so that the browser can check whether the resource needs to be updated (eTag) and information relating to the location of the cached item.Location on TargetC:\Users\user\Roaming\Microsoft\Windows\Cookies\index.datC:\Users\user\Roaming\Microsoft\Windows\Cookies\Low\index.datC:\Users\user\Local\Microsoft\Windows\History\History.IE5\index.datC:\Users\user\Local\Microsoft\Windows\History\History.IE5\Low\index.datC:\Users\user\Local\Microsoft\Windows\History\History.IE5\index.dat\MSHistXXXXXXXXXXX\index.datC:\Users\user\Local\Microsoft\Windows\History\History.IE5\Low\index.dat\MSHistXXXXXXXXXXX\index.datC:\Users\user\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.datC:\Users\user\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5index.datC:\Users\user\Roaming\Microsoft\Internet Explorer\UserData\index.datC:\Users\user\Roaming\Microsoft\Internet Explorer\UserData\Low\index.dat
31Index.dat Grab Parse Assume they are locked. Perl -id - https://tzworks.net/prototype_page.php?proto_id=6
32Index.dat and other web history files echo Grabbing Browser History Files Set FilesToGrab=index.dat,*.dat,urlclassifier3.sqlite,index.sqlite,addons.sqlite,chromeappsstore.sqlite,content-prefs.sqlite,cookies.sqlite, downloads.sqlite,extensions.sqlite,permissions.sqlite,places.sqlite,search.sqlite,signons.sqlite,webappsstore.sqlite for %%X in ("%FilesToGrab:,=" "%") do ( for /f "tokens=*" %%a in ('dir /s /a /b c:\%%X') do ( for /f "tokens=*" %%b in ('cscript /nologo C:\windows\temp\lrscript\lrtools\recursionPath.vbs "%%a"') do ( mkdir "C:\windows\temp\lrscript\collecteddata\WebHistory%%b" C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe "%%a" "C:\windows\temp\lrscript\collecteddata\WebHistory%%b" )
33Journal Significance Location on Target Method to Grab and Parse The change journal is a component of NTFS that will, when enabled, record changes made to files and folders. The change journal records time of the change, affected file/directory, change type (eg. delete, rename, size extend, etc)Location on Target[root]\$Extend\$UsnJrnl:$J$J is an alternate data streamMethod to Grab and ParseGrabLocked FileParseWindows Journal Parserhttps://github.com/jschicht/LogFileParser
34JournalFOR /F "tokens=*" %%A IN ('cscript /nologo C:\windows\temp\lrscript\lrtools\ListOfLocalDrives.vbs') DO ( FOR /F "tokens=*" %%B IN ('C:\windows\temp\lrscript\lrtools\ifind.exe -n /$Extend/$UsnJrnl:$J \\.\%%A:') DO ( C:\windows\temp\lrscript\lrtools\rawcopy%ARC%.exe %%A:%%B C:\Windows\Temp\lrscript\collecteddata\MFT\ ) )
35Event Logs Significance Location on Target Method to Grab and Parse Application, System, and SecurityLocation on TargetC:\Windows\system32\configMethod to Grab and ParseGrabLocked FileParseGrokEVT is a set of forensics scripts designed to make sense of EVT logs for investigations. Along with RegLookup, it is able to combine registry information and event log templates to place EVT data in context.python-etvxLogParserWindows Event Log Parser (evtwalk)https://tzworks.net/prototype_page.php?proto_id=25
36Network Info Significance Location on Target Current TCP and UDP connections are extremely important to document while the machine is running.Very hard to piece together after the fact without external logs.Location on TargetMemory
37Network Info Method to Grab and Parse Grab “netstat -anto & wmic process get ProcessID,Name,CommandLine >netcon.txt”a Displays all connections and listening ports.n Displays addresses and port numbers in numerical form.t Displays the current connection offload state.o Displays the owning process ID associated with each connection.Volatilityconnections, connscan, sockets, netscan
38Prefetch Significance Location on Target Method to Grab and Parse Designed to boost the startup process of frequently launched applicationsName of the executable, Unicode itemizations of the DLLs that the executable requires to function, Timestamp of when the application was last launched, a count of the times that the executable has ran.Location on Target%SystemRoot%\Prefetch\*.pfMethod to Grab and ParseGrabJust copy them.ParseWindows Prefetch Parser (pf)- https://tzworks.net/prototype_page.php?proto_id=1
39LNK Files Significance Location on Target Method to Grab and Parse Created Date, Last Written Date, Last Accessed Date, Full Path, Command Line, occasionally the MAC addressLocation on Target%APPDATA%\ Microsoft\ Windows\ Recent\%APPDATA%\Roaming\Microsoft\Office\Recent\Desktop, etc...Method to Grab and ParseWindows LNK Parsing Utility (lp) -https://tzworks.net/prototype_page.php?proto_id=11“dir /s /b C:\users\*.lnk | LP -pipe -csv >> results.csv”LNK Parser - https://code.google.com/p/lnk-parser/
40USB Activity Significance Location on Target Method to Grab and Parse Entry vector for bad stuffExfil vectorLocation on TargetHKLM\SYSTEM\CurrentControlSet\Enum\USBSTORHKLM\SYSTEM\CurrentControlSet\Enum\USBC:\Windows\inf\setupapi.dev.logNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2Method to Grab and ParseGrab C:\Windows\inf\setupapi.dev.log and Registry Files
41Recycle Bin Significance Location on Target Method to Grab and Parse Many cases routinely require examination of Recycle BinMalware often operate from the Recycle BinPeople delete stuff.$I filesBytes 0-7: $I File header " ".Bytes 8-15: Original file size – stored in hex, in little-endian.Bytes 16-23: Deleted date/time stamp – represented in number of seconds since Midnight, January 1, 1601.Bytes : Original file path/name.Location on Targetc:\$Recycle.Bin\%SID%%SID% is the SID of the user who deleted the fileMethod to Grab and Parserecbin.pl - Harlan Carveyhttps://winforensicaanalysis.googlecode.com/files/wfa3e.zip
42Anti-Virus Logs/Quarantined Files SignificanceLogs give timestamps of last virus subscription update, last scan, virus/quarantine activityQuarantined files are potentially malicious samples that have been rendered inert.Location on TargetApplication LogsVendor SpecificMethod to Grab and Parse
43Add anything that you might find useful. Not an Exhaustive ListAdd anything that you might find useful.
46Super Timeline? Grab any relevant log that has a timestamp Make sure they all are on the same time zone (local vs. UTC) and format (YYYY/MM/DD hh:mm:ss)Put them all in the one big fileSort
47Setting up Your Machine for Command Line Timeline Analysis
48Useful Tools For Command Line Timeline Analysis Linux or OSX command lineIf you absolutely must use Windows for timeline analysis…GnuWinGnuWin provides ports of tools with a GNU or similar open source license, to modern MS-Windows (Microsoft Windows 2000 / XP / 2003 / Vista / 2008 / 7)
49Useful GnuWin Packages Grep - searches one or more input files for lines containing a match to a specified pattern.CoreUtils - collection of basic file, shell and text manipulation utilitiesIncludes a ton of really useful timeline analysis commands like cat,cut,fold,head,join,nl,sort,tac,uniq,wc and a few others.Many of these tools are also included in the Kludge source files
50Make a Tools Folder and Update Path The %PATH% variable should be updated on regular and elevated accounts if you are going to use either for timeline analysis.Always append your Tools folder to the END of your PATH. Do not prepend to the beginning.
52Command Line Timeline Analysis Determine the processes that were launched during a specific hour that do not have “Windows” in the file path:c:\Incidents\DEMO\TLN>grep " \ 20" timeline.csv | grep "Microsoft-Windows-Security-Auditing/4688" |cut -d, -f1,10 |sort| uniq |grep -vi Windows:05:01,C:\Tools\grep.exe:05:13,C:\Tools\grep.exe:06:36,C:\Tools\grep.exe:31:39,C:\Tools\grep.exe:39:02,C:\Tools\grep.exe
53Command Line Timeline Analysis Use simple regular expressions to help maximize your searches:This example shows the event codes for the when the Event Logging Service Starts (6005) and Stops (6006):c:\DEMO\TLN>grep -iE "EventLog/600[5,6]" timeline.csv:48:11,EVTX,TARGETMACHINE,,EventLog/6005;4;:46:03,EVTX,TARGETMACHINE,,EventLog/6006;4;:40:10,EVTX,TARGETMACHINE,,EventLog/6005;4;:38:01,EVTX,TARGETMACHINE,,EventLog/6006;4;:33:18,EVTX,TARGETMACHINE,,EventLog/6005;4;:10:44,EVTX,TARGETMACHINE,,EventLog/6006;4;:49:40,EVTX,TARGETMACHINE,,EventLog/6005;4;:26:30,EVTX,TARGETMACHINE,,EventLog/6006;4;:24:32,EVTX,TARGETMACHINE,,EventLog/6005;4;
54Command Line Timeline Analysis c:\DEMO\TLN>grep -E “,URL,|Content.IE5” timeline.csv | cut -d: -f1,2 | sort| uniq|cut -d" " -f1 |sort |uniq -cThis will give you a count of the unique minutes that web history or temporary internet files were created and a rough estimate of how long a user was actively browsing. Great for when proxy logs are not available.
55Command Line Timeline Analysis Determine the logon times and user names for anyone that interactively logged on to the system:C:\DEMO>grep timeline.csv | grep "Microsoft-Windows-Security-Auditing/4624"| cut -d, -f1,10,13 | grep -E ",2$|,11$" |sort | uniq:10:09,DAVESTRUM,11:50:46,DAVESTRUMADMIN,11:59:56,DAVESTRUMADMIN,11:20:45,DAVESTRUMADMIN,11:21:24,DAVESTRUMADMIN,11:16:01,DAVESTRUM,11:39:38,DAVESTRUMADMIN,11:42:22,DAVESTRUMADMIN,11:47:07,DAVESTRUM,2:47:08,DAVESTRUM,2BUT THIS STILL DOESN’T READ ALL THAT WELL
56Command Line Timeline Analysis LABEL, SEPARATE, and COMBINE YOUR FINDINGSC:\DEMO>grep timeline.csv | grep "Microsoft-Windows-Security-Auditing/4624"| cut -d, -f1,10,13 | grep -E ",2$|,11$" |sort | uniq > logontimes.txt & FOR /F "delims=" %i IN ('type logontimes.txt') %i LOGON >> FINDINGS.TXTC:\DEMO>grep timeline.csv | grep "Microsoft-Windows-Security-Auditing/4647"| cut -d, -f1,6 | sort | uniq > logofftimes.txt & FOR /F "delims=" %i IN ('type logofftimes.txt') %i LOGOFF >> FINDINGS.TXTC:\DEMO> type FINDINGS.TXT | sort:10:09,DAVESTRUM,11 LOGON:50:46,DAVESTRUMADMIN,11 LOGON:59:56,DAVESTRUMADMIN,11 LOGON:20:45,DAVESTRUMADMIN,11 LOGON:21:24,DAVESTRUMADMIN,11 LOGON:06:43,DAVESTRUM LOGOFF