SlideShare uma empresa Scribd logo

What the Heck Just Happened?

Ken Evans
Ken Evans

An Introduction to Digital Forensics for Incident Response. Practical, educational steps you can take on your own home system.

Tecnologia
1 de 56
Baixar para ler offline
What the Heck Just Happened? An Introduction to Digital Forensics for Incident Response Ken Evans Information Security Incident Response Lead Henry Ford Health Systems CISSP, GSEC, GCFA, GCFE Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf
What We’re Covering • Introduction to Digital Forensics • Basic memory analysis of a host with Mandiant Redline • Intermediate file system analysis of a host with Log2timeline
We Are NOT Covering… • Proper evidence handling procedures • Detailed information about forensic artifacts • About 165 tools in the SANS SIFT workstation • The best way to scale this for a business
To Get the Most Value From This Presentation • Don’t try to memorize the steps • Keep a high level view and go for the concepts • See if this looks useful or fun • Follow-up by getting the presentation and accessing the links at the end
The Scenario • You’re at work browsing when suddenly a popup window appears and then goes away immediately. • You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing. • Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine. • A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices. BUT…
Classical Incident Response Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned
Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned Incident Response with Full Intrusion Analysis Intrusion Analysis Memory Forensics Timeline Analysis File System Analysis Data Recovery
Our Approach Memory is VERY volatile, we need to capture it as soon as possible. We’ll use Mandiant Redline for this. Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make it harder to find the entries we want. We’ll take a disk image and create a Super Timeline for this.
Some Assembly Required 1. Examiner system (64-bit, 4 GB RAM for VMware support) 2. Installation of Mandiant Redline on the Examiner system 3. External storage, larger than memory 4. External storage, larger than the source hard drive 5. Ubuntu Desktop 14 install disc on DVD or bootable USB 6. Installation of VMware Player on Examiner system 7. Installation of SANS SIFT Workstation 3 on Examiner system 8. MS Excel or other spreadsheet program (macro compatible) For Memory Analysis: For Disk Image Analysis:
Mandiant Redline Overview Malware can sometimes hide in transit or on disk, but eventually… IT MUST EXECUTE And to do that it needs to use… MEMORY! Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.
Creating a Redline Collector Create a “Standard Collector” from Redline on your Examiner system.
Collector Option - Acquire Memory Image Make sure to Acquire Memory Image. Save the Collector to USB device.
Running the Redline Collector on the Subject Run Redline from the USB device with a command line session with elevated privileges.
Collector Can Take a While Depends mostly on: • Machine speed • RAM size • Disk speed
Time for the Subject Disk Image We need to capture a disk image without changing or corrupting the contents. One simple way to do this is to use Linux to read the disk. Professionals would use a write blocker or do a live capture here, but those are more complicated or need special equipment or software.
Boot Ubuntu Live CD on Subject System
Launch a Terminal Session
Escalate to Super User
Note the Source Drive with lsblk Source 30 GB drive device is /dev/sda2 Mounted external media is /media/ubuntu/FreeAgent Drive Note: In Linux, everything is a file.
Use the dd Command to Make a Disk Image File dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file
Image Can Take a While Depends mostly on: • Machine speed • Disk size • Disk speed
Analyze the Memory • Shutdown Ubuntu / Subject system • Hook the USB drive up to your Examiner system • Run Mandiant Redline
Open Collected Redline Data Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
Browse to your Collector Data Browse to the Collector data on the USB device.
Select the Time Stamped Audit Folder Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.
Browse to your Collector Data We don’t need the Advanced or Indicators of Compromise options. Click Next.
Hurry Up and Wait No time for movies, though!
Select the Full Live Response Option
Review the Processes
Closer Examination of svchost.exe
MRI Report for svchost.exe - 1
MRI Report for svchost.exe - 2
Analyze the Disk Image • Hook the USB drive up to your Examiner system • Launch Vmware Player • Launch SIFT Workstation • Make sure USB drive is readable (mounted) in the SIFT Workstation
Super Timeline Process Overview • Unbuntu desktop live CD boot, dd command 1. Acquire Image • Launch SIFT workstation, mount command 2. Mount image for processing • log2timeline command 3. Create comprehensive timeline • l2t_process command 4. Filter the timeline • Colorize, sort, and analyze 5. Apply colorization macro
SIFT Workstation 3.0
Escalate your Privileges to Super User
Mount the .dd Image mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams
Optional: Verify the Mount
Execute the log2timeline Command log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).
How to List the Format Options
How to List the Time Zones The “-z list” feature will let you see the complete list of time zones and the strings to use.
log2timeline Sample Run
Timeline Might Take a While Depends mostly on: • Machine speed • Disk speed • Age of machine / size of logs
Let’s Trim it Down The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.
l2t_process Command l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
l2t_process Command
l2t_process Command
Output of l2t_process This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.
Color Timeline Blog Entry 1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline- template-for-log2timeline-output-files
What Does the Color Template Do? The color template will apply the following colors to rows in the timeline file.
Look What We Found!
Log2timeline Command Format
Summary • We used Mandiant Redline to do a quick memory analysis to find out if we had a problem • svchost.exe was called out by Redline • We followed it up with a more detailed file system analysis • We found a svchost.exe call in the middle of several other events of note
Resources - 1 SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident- response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super- timeline-template-for-log2timeline-output-files
Resources - 2 Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis- tool-for-threat-assessments Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf

Recomendados

Cs8493 unit 5
Cs8493 unit 5Cs8493 unit 5
Cs8493 unit 5
Kathirvel Ayyaswamy
 
Red Hat Training
Red Hat TrainingRed Hat Training
Red Hat Training
Open Source Group
 
Daemons
DaemonsDaemons
Daemons
christina555
 
fall2013
fall2013fall2013
fall2013
Will Dixon
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Lesson 5 - Managing Devices
Lesson 5 - Managing DevicesLesson 5 - Managing Devices
Lesson 5 - Managing Devices
Gene Carboni
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
DTraceCloud2012
DTraceCloud2012DTraceCloud2012
DTraceCloud2012
Brendan Gregg
 

Recomendados

Cs8493 unit 5
Cs8493 unit 5Cs8493 unit 5
Cs8493 unit 5
Kathirvel Ayyaswamy
 
Red Hat Training
Red Hat TrainingRed Hat Training
Red Hat Training
Open Source Group
 
Daemons
DaemonsDaemons
Daemons
christina555
 
fall2013
fall2013fall2013
fall2013
Will Dixon
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Lesson 5 - Managing Devices
Lesson 5 - Managing DevicesLesson 5 - Managing Devices
Lesson 5 - Managing Devices
Gene Carboni
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
DTraceCloud2012
DTraceCloud2012DTraceCloud2012
DTraceCloud2012
Brendan Gregg
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
CS9222 Advanced Operating System
CS9222 Advanced Operating SystemCS9222 Advanced Operating System
CS9222 Advanced Operating System
Kathirvel Ayyaswamy
 
Process Management in Android
Process Management in AndroidProcess Management in Android
Process Management in Android
Shrey Verma
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
National Cheng Kung University
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
Zubair Nabi
 
Operating System 3
Operating System 3Operating System 3
Operating System 3
tech2click
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Unix memory management
Unix memory managementUnix memory management
Unix memory management
Tech_MX
 
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry PiEmbedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Ahmed El-Arabawy
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
Alison Chaiken
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
YourHelper1
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Ch04
Ch04Ch04
Ch04
Raja Waseem Akhtar
 
Readme
ReadmeReadme
Readme
Joao MEndes
 
Chapter 3: Processes
Chapter 3: ProcessesChapter 3: Processes
Chapter 3: Processes
Shafaan Khaliq Bhatti
 
Unit 4
Unit 4Unit 4
Unit 4
pm_ghate
 
Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
James Hsieh
 
File000127
File000127File000127
File000127
Desmond Devendran
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
MongoDB
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
Ishan A B Ambanwela
 

Mais conteúdo relacionado

Mais procurados

AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
Zubair Nabi
 
Operating System 3
Operating System 3Operating System 3
Operating System 3
tech2click
 
Unix memory management
Unix memory managementUnix memory management
Unix memory management
Tech_MX
 

Mais procurados (18)

Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
CS9222 Advanced Operating System
CS9222 Advanced Operating SystemCS9222 Advanced Operating System
CS9222 Advanced Operating System
 
Process Management in Android
Process Management in AndroidProcess Management in Android
Process Management in Android
 
Making Linux do Hard Real-time
Making Linux do Hard Real-timeMaking Linux do Hard Real-time
Making Linux do Hard Real-time
 
AOS Lab 5: System calls
AOS Lab 5: System callsAOS Lab 5: System calls
AOS Lab 5: System calls
 
Operating System 3
Operating System 3Operating System 3
Operating System 3
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public2010 2013 sandro suffert memory forensics introdutory work shop - public
2010 2013 sandro suffert memory forensics introdutory work shop - public
 
Unix memory management
Unix memory managementUnix memory management
Unix memory management
 
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry PiEmbedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
 
LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager LISA15: systemd, the Next-Generation Linux System Manager
LISA15: systemd, the Next-Generation Linux System Manager
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 
Device Drivers and Running Modules
Device Drivers and Running ModulesDevice Drivers and Running Modules
Device Drivers and Running Modules
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
 
Ch04
Ch04Ch04
Ch04
 
Readme
ReadmeReadme
Readme
 
Chapter 3: Processes
Chapter 3: ProcessesChapter 3: Processes
Chapter 3: Processes
 
Unit 4
Unit 4Unit 4
Unit 4
 

Semelhante a What the Heck Just Happened?

Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
James Hsieh
 
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customization
Hiren Mayani
 
ICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance BoostICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance Boost
Christoph Adler
 

Semelhante a What the Heck Just Happened? (20)

Crash dump analysis - experience sharing
Crash dump analysis - experience sharingCrash dump analysis - experience sharing
Crash dump analysis - experience sharing
 
File000127
File000127File000127
File000127
 
Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)Deployment Strategies (Mongo Austin)
Deployment Strategies (Mongo Austin)
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Operating Systems: Revision
Operating Systems: RevisionOperating Systems: Revision
Operating Systems: Revision
 
Windows optimization and customization
Windows optimization and customizationWindows optimization and customization
Windows optimization and customization
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
AdminCamp 2018 - IBM Notes V10 Performance Boost
AdminCamp 2018 - IBM Notes V10 Performance BoostAdminCamp 2018 - IBM Notes V10 Performance Boost
AdminCamp 2018 - IBM Notes V10 Performance Boost
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
PAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLERPAC 2019 virtual Christoph NEUMÜLLER
PAC 2019 virtual Christoph NEUMÜLLER
 
kbrgwillis.pdf
kbrgwillis.pdfkbrgwillis.pdf
kbrgwillis.pdf
 
Technical track-afterimaging Progress Database
Technical track-afterimaging Progress DatabaseTechnical track-afterimaging Progress Database
Technical track-afterimaging Progress Database
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATIONCOLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
COLLECT AND ANALYZE RAM FOR DIGITAL INVESTIGATION
 
ICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance BoostICONUK 2018 - IBM Notes V10 Performance Boost
ICONUK 2018 - IBM Notes V10 Performance Boost
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
OS_lab_file.pdf
OS_lab_file.pdfOS_lab_file.pdf
OS_lab_file.pdf
 
Windows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff StokesWindows 7 client performance talk - Jeff Stokes
Windows 7 client performance talk - Jeff Stokes
 
Linux Recovery
Linux RecoveryLinux Recovery
Linux Recovery
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

What the Heck Just Happened?

  • 1. What the Heck Just Happened? An Introduction to Digital Forensics for Incident Response Ken Evans Information Security Incident Response Lead Henry Ford Health Systems CISSP, GSEC, GCFA, GCFE Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf
  • 2. What We’re Covering • Introduction to Digital Forensics • Basic memory analysis of a host with Mandiant Redline • Intermediate file system analysis of a host with Log2timeline
  • 3. We Are NOT Covering… • Proper evidence handling procedures • Detailed information about forensic artifacts • About 165 tools in the SANS SIFT workstation • The best way to scale this for a business
  • 4. To Get the Most Value From This Presentation • Don’t try to memorize the steps • Keep a high level view and go for the concepts • See if this looks useful or fun • Follow-up by getting the presentation and accessing the links at the end
  • 5. The Scenario • You’re at work browsing when suddenly a popup window appears and then goes away immediately. • You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing. • Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine. • A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices. BUT…
  • 6. Classical Incident Response Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned
  • 7. Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned Incident Response with Full Intrusion Analysis Intrusion Analysis Memory Forensics Timeline Analysis File System Analysis Data Recovery
  • 8. Our Approach Memory is VERY volatile, we need to capture it as soon as possible. We’ll use Mandiant Redline for this. Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make it harder to find the entries we want. We’ll take a disk image and create a Super Timeline for this.
  • 9. Some Assembly Required 1. Examiner system (64-bit, 4 GB RAM for VMware support) 2. Installation of Mandiant Redline on the Examiner system 3. External storage, larger than memory 4. External storage, larger than the source hard drive 5. Ubuntu Desktop 14 install disc on DVD or bootable USB 6. Installation of VMware Player on Examiner system 7. Installation of SANS SIFT Workstation 3 on Examiner system 8. MS Excel or other spreadsheet program (macro compatible) For Memory Analysis: For Disk Image Analysis:
  • 10. Mandiant Redline Overview Malware can sometimes hide in transit or on disk, but eventually… IT MUST EXECUTE And to do that it needs to use… MEMORY! Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.
  • 11. Creating a Redline Collector Create a “Standard Collector” from Redline on your Examiner system.
  • 12. Collector Option - Acquire Memory Image Make sure to Acquire Memory Image. Save the Collector to USB device.
  • 13. Running the Redline Collector on the Subject Run Redline from the USB device with a command line session with elevated privileges.
  • 14. Collector Can Take a While Depends mostly on: • Machine speed • RAM size • Disk speed
  • 15. Time for the Subject Disk Image We need to capture a disk image without changing or corrupting the contents. One simple way to do this is to use Linux to read the disk. Professionals would use a write blocker or do a live capture here, but those are more complicated or need special equipment or software.
  • 16. Boot Ubuntu Live CD on Subject System
  • 17. Launch a Terminal Session
  • 19. Note the Source Drive with lsblk Source 30 GB drive device is /dev/sda2 Mounted external media is /media/ubuntu/FreeAgent Drive Note: In Linux, everything is a file.
  • 20. Use the dd Command to Make a Disk Image File dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file
  • 21. Image Can Take a While Depends mostly on: • Machine speed • Disk size • Disk speed
  • 22. Analyze the Memory • Shutdown Ubuntu / Subject system • Hook the USB drive up to your Examiner system • Run Mandiant Redline
  • 23. Open Collected Redline Data Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
  • 24. Browse to your Collector Data Browse to the Collector data on the USB device.
  • 25. Select the Time Stamped Audit Folder Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.
  • 26. Browse to your Collector Data We don’t need the Advanced or Indicators of Compromise options. Click Next.
  • 27. Hurry Up and Wait No time for movies, though!
  • 28. Select the Full Live Response Option
  • 30. Closer Examination of svchost.exe
  • 31. MRI Report for svchost.exe - 1
  • 32. MRI Report for svchost.exe - 2
  • 33. Analyze the Disk Image • Hook the USB drive up to your Examiner system • Launch Vmware Player • Launch SIFT Workstation • Make sure USB drive is readable (mounted) in the SIFT Workstation
  • 34. Super Timeline Process Overview • Unbuntu desktop live CD boot, dd command 1. Acquire Image • Launch SIFT workstation, mount command 2. Mount image for processing • log2timeline command 3. Create comprehensive timeline • l2t_process command 4. Filter the timeline • Colorize, sort, and analyze 5. Apply colorization macro
  • 35.
  • 37. Escalate your Privileges to Super User
  • 38. Mount the .dd Image mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams
  • 40. Execute the log2timeline Command log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).
  • 41. How to List the Format Options
  • 42. How to List the Time Zones The “-z list” feature will let you see the complete list of time zones and the strings to use.
  • 44. Timeline Might Take a While Depends mostly on: • Machine speed • Disk speed • Age of machine / size of logs
  • 45. Let’s Trim it Down The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.
  • 46. l2t_process Command l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
  • 49. Output of l2t_process This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.
  • 50. Color Timeline Blog Entry 1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline- template-for-log2timeline-output-files
  • 51. What Does the Color Template Do? The color template will apply the following colors to rows in the timeline file.
  • 52. Look What We Found!
  • 54. Summary • We used Mandiant Redline to do a quick memory analysis to find out if we had a problem • svchost.exe was called out by Redline • We followed it up with a more detailed file system analysis • We found a svchost.exe call in the middle of several other events of note
  • 55. Resources - 1 SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident- response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super- timeline-template-for-log2timeline-output-files
  • 56. Resources - 2 Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis- tool-for-threat-assessments Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf