44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
1. Old Dog, New Tricks:
Forensics with PowerShell
Jared Atkinson
Veris Group’s Adaptive Threat Division
2. Special Thanks
○This tool and presentation would not be
possible if it wasn’t for the help and
phenomenal work from these people:
□Matt Graeber (PowerShell Wizardry)
□Richard Russon (Linux-NTFS Project)
□Joachim Metz (Libyal Project)
□Jeff Bryner (NBDServer)
□Carlos Perez (PowerShell Binary Module)
□David Cowan (NTFS Triforce)
□Ange Albertini (Corkami)
□Phil Polstra (Linux Forensics)
□James Habben (NTFS Fixup Values)
3. @jaredcatkinson
○Jared Atkinson
□Hunt Capability Lead for Adaptive Threat Division
○ Leads the service line responsible for proactive detection
and response to advanced threats in Fortune 100
commercial environments
□Adjunct Lecturer at Utica College
□Developer of PowerForensics, Uproot IDS, and
WMIEventing
□Researcher of forensic artifact file formats
□History
○ U.S. Air Force Hunt (2011 - 2015)
○ GCFA, GREM, and more
4. tl;dr
○ Hunting Philosophy
○ Evolution of Forensics
○ PowerShell 101
○ PowerForensics
○ Investigation Demo
○ The Future
7. Cyber Kill Chain
○F2T2EA
□Find, Fix, Target, Track, Engage, Assess
○Adapted from Lockheed Martin White Paper
○Any broken link will affect the entire chain
8. Prevention
○Prevailing Network Defense Concept for much
of the 90s and 2000s
○Goal of stopping attacks at the perimeter
□ Glory years of “Server Side Exploits”
○Largely failed due to rise in the popularity of
“Client Side”attacks
“...more than two-thirds of [Cyber Espionage]
incidents ... have featured phishing.” -Verizon
9. Incident Response
○Early 2000s to mid 2010s
○“Five Alarm Fire” Concept
○Kicked off by:
□Network security monitoring alerts
□Third party notification
□Public disclosure
○By the time you notice it is often too late
10. Hunting
○Concept originating in the US DoD
○Practice “Assume Breach” mentality
○Detection, Investigation, Response
□Deny, Degrade, Disrupt, Manipulate
“Fundamentally, if somebody wants to get in, they're getting in… Accept
that… What we tell clients is:
Number one, you're in the fight, whether you thought you were or not.
Number two, you're almost certainly are penetrated.”
Michael Hayden
Former Director of CIA & NSA
14. Image
○Analyst takes an infected machine offline,
make a hard drive image (bit for bit copy)
and perform forensic analysis
○Pros
□“Gold” Standard over past 2+ decades
□Repeatable results
□Allows for thorough analysis
○Cons
□Lose all volatile data
□Slow/non-scalable
15. Collection Scripts
○Analyst uses a script to collect forensically
relevant files often using third party
binaries to access certain files
□First step in automating digital forensic/incident
response processes
○Pros
□Speed
□Scalability
○Cons
□Often Messy (Not Forensically Sound)
□Third party dependencies (File Access, Artifact
Parsing, Remote support)
16. Live Response
○Analyst quickly triages key file system artifacts
in a forensically sound manner
□Merges some of the best attributes of Imaging and
Collection Scripts
□“Intelligent” Analysis – Where the analysis of one
artifact points the analyst in the direction of another
○Pros
□Speed/Scalability
□Forensically Sound
□Self contained
○Cons
□Repeatability
18. What is PowerShell
○Task-based command-line shell and
scripting language
○Built on the .NET Framework
□Cmdlets for performing common system
administration tasks
□Consistent design
□Powerful object manipulation capabilities
□Extensible interface (Modules)
○ Independent software vendors and enterprise developers can
build custom tools and utilities to administer their software.
□Full access to the Windows API
20. Requirements
○Centralized forensic toolset
○Forensically sound
□Parse raw disk structures
□Don’t alter NTFS timestamps
○Can execute on a live (running) host
○Operationally fast
□Collect forensic data in seconds or minutes
○Modular capabilities
□Cmdlets perform discrete tasks and can be tied
together for more complicated tasks
○Capable of working remotely
□At the proof of concept stage
21. What is Forensically
Sound?
“A forensically sound duplicate is obtained in a manner that does
not materially alter the source evidence, except to the minimum
extent necessary to obtain the evidence. The manner used to
obtain the evidence must be documented, and should be
justified to the extent applicable.” - Richard Bejtlich and Harlan
Carvey
34. Notification
○Time: 20 August 2015 16:50
○Hostname: WIN-KFGTOETNIFJ
○IP Address: 10.20.3.187
○Activity Description:
□At 16:50 on 20 Aug 2015 a machine with IP of
10.20.3.187 called out to a previously unseen IP
address of 10.20.3.191 (pretend this is a domain
:-D) over port 80. During this and a number of
additional connections analysts noticed a sizeable
amount of data transferred from the internal asset
to an external system (10.20.3.191).
36. Report
○Time: 20 August 2015 16:48 - 16:54
○At job to elevate to SYSTEM context
□Executed launcher.bat
○Implant appeared to use some combination of
PowerShell and WMI in implant
○Created staging directory name “exfil”
○Used 7za.exe (7-zip) to compress three files to
exfil.zip
□hamburgerrecipes.txt
□finances.csv
□password.txt
40. Take Aways
○Order of Volatility (RFC 3227)
□routing table, arp cache, process table, network
connections, kernel statistics, memory
□temporary file systems
□hard drive disks
○Imaging Process ≢ Enterprise Response
○Don’t be part of the problem
□Local vs Domain Admin
□Interactive vs Network Logins
□Delegate vs Impersonation Tokens
○Hunting is like a Poker game
□Be careful about showing your hand to the
attacker