How to Troubleshoot Apps for the Modern Connected Worker
What the Heck Just Happened?
1. What the Heck Just Happened?
An Introduction to Digital Forensics
for Incident Response
Ken Evans
Information Security Incident Response Lead
Henry Ford Health Systems
CISSP, GSEC, GCFA, GCFE
Kevans.infosec@gmail.com
http://csc-hub.com/what_the_heck.pdf
2. What We’re Covering
• Introduction to Digital Forensics
• Basic memory analysis of a host with
Mandiant Redline
• Intermediate file system analysis of a host
with Log2timeline
3. We Are NOT Covering…
• Proper evidence handling procedures
• Detailed information about forensic
artifacts
• About 165 tools in the SANS SIFT
workstation
• The best way to scale this for a business
4. To Get the Most Value From This Presentation
• Don’t try to memorize the steps
• Keep a high level view and go for the
concepts
• See if this looks useful or fun
• Follow-up by getting the presentation and
accessing the links at the end
5. The Scenario
• You’re at work browsing when suddenly a popup window
appears and then goes away immediately.
• You look at your system for a minute, don’t see anything
amiss, shrug your shoulders and keep browsing.
• Thirty minutes later the help desk calls you and asks why you
are pinging an RBN command and control server in the
Ukraine.
• A virus scan and a reboot later, no one sees any problem,
and the traffic has stopped, so they leave you to your own
devices.
BUT…
8. Our Approach
Memory is VERY volatile, we need to capture
it as soon as possible.
We’ll use Mandiant Redline for this.
Logs and other artifacts on the disk are also volatile,
in that they can decay and additional noise can make
it harder to find the entries we want.
We’ll take a disk image and create a
Super Timeline for this.
9. Some Assembly Required
1. Examiner system (64-bit, 4 GB RAM for VMware support)
2. Installation of Mandiant Redline on the Examiner system
3. External storage, larger than memory
4. External storage, larger than the source hard drive
5. Ubuntu Desktop 14 install disc on DVD or bootable USB
6. Installation of VMware Player on Examiner system
7. Installation of SANS SIFT Workstation 3 on Examiner system
8. MS Excel or other spreadsheet program (macro compatible)
For Memory Analysis:
For Disk Image Analysis:
10. Mandiant Redline Overview
Malware can sometimes hide in transit or on disk,
but eventually…
IT MUST EXECUTE
And to do that it needs to use…
MEMORY!
Mandiant Redline is a great way to visually analyze
the memory on your machine to look for problems.
11. Creating a Redline Collector
Create a “Standard Collector” from Redline on your Examiner system.
12. Collector Option - Acquire Memory Image
Make sure to Acquire Memory Image. Save the Collector to USB device.
13. Running the Redline Collector on the Subject
Run Redline from the USB device with a command line
session with elevated privileges.
14. Collector Can Take a While
Depends mostly on:
• Machine speed
• RAM size
• Disk speed
15. Time for the Subject Disk Image
We need to capture a disk image without changing or
corrupting the contents.
One simple way to do this is to use
Linux to read the disk.
Professionals would use a write blocker or do a live
capture here, but those are more complicated or
need special equipment or software.
19. Note the Source Drive with lsblk
Source 30 GB drive device is
/dev/sda2
Mounted external media is
/media/ubuntu/FreeAgent Drive
Note: In Linux, everything is a file.
20. Use the dd Command to Make a Disk Image File
dd Command Syntax
if = input “file”
of = output file
bs = bytes to copy (i.e. buffer size)
conv= convert flags
noerror = continue if you get an error
notrunc = do not truncate the output file
21. Image Can Take a While
Depends mostly on:
• Machine speed
• Disk size
• Disk speed
22. Analyze the Memory
• Shutdown Ubuntu / Subject system
• Hook the USB drive up to your Examiner system
• Run Mandiant Redline
23. Open Collected Redline Data
Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
24. Browse to your Collector Data
Browse to the Collector data on the USB device.
25. Select the Time Stamped Audit Folder
Drill down through the Redline directory until you get to the folder that is based
on the date the collector ran. Then click the Select Folder button.
26. Browse to your Collector Data
We don’t need the Advanced or Indicators of Compromise options. Click Next.
33. Analyze the Disk Image
• Hook the USB drive up to your Examiner system
• Launch Vmware Player
• Launch SIFT Workstation
• Make sure USB drive is readable (mounted) in the
SIFT Workstation
34. Super Timeline Process Overview
• Unbuntu desktop live CD boot, dd command
1. Acquire Image
• Launch SIFT workstation, mount command
2. Mount image for processing
• log2timeline command
3. Create comprehensive timeline
• l2t_process command
4. Filter the timeline
• Colorize, sort, and analyze
5. Apply colorization macro
38. Mount the .dd Image
mount Command Syntax
[options] sourcefile mountpoint
-o = options flag
ro = read-only
loop = loopback
show_sys_files = yes, show them
streams_interface = how to interpret alternate data streams
40. Execute the log2timeline Command
log2timeline Command Syntax
[options] [-f format] [-z timezone] log_file [-w bodyfile]
-p = preprocess (trust me, you want it)
-r = recursive
-f = format. There are several, check the docs for your type (-f list).
-z = timezone. Use the timezone for the subject. Check the docs for the string
…….(-z list).
44. Timeline Might Take a While
Depends mostly on:
• Machine speed
• Disk speed
• Age of machine /
size of logs
45. Let’s Trim it Down
The resulting file will be between hundreds of thousands and a
couple million entries. Yuck. Let’s focus on our pivot point.
46. l2t_process Command
l2t_process Command Syntax
l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE]
Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY
NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
49. Output of l2t_process
This is a date filtered file, with all the duplicates removed. We still
have 80K entries for 1 day, but we are closer.
50. Color Timeline Blog Entry
1. Download it - Open Timeline Color Template
2. Switch to Color Timeline worksheet/tab
3. Click on Cell A-1
4. Select 'DATA' Ribbon
5. Import Data "FROM TEXT"
6. Select log2timeline.csv file
7. TEXT IMPORT WIZARD Will Start
8. Step 1 -> Select Delimited ->Select NEXT
9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT >
10. Step 3 ->Select Finish
11. Where do you want to put the data? Simply Select OK.
12. Once imported View -> Freeze Panes -> Freeze Top Row
13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version
14. Select HOME Ribbon
15. Select all Cells "CTRL-A"
16. In Home Ribbon -> Sort and Filter - Filter
http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-
template-for-log2timeline-output-files
51. What Does the Color Template Do?
The color template will apply the following colors to rows in
the timeline file.
54. Summary
• We used Mandiant Redline to do a quick memory
analysis to find out if we had a problem
• svchost.exe was called out by Redline
• We followed it up with a more detailed file system
analysis
• We found a svchost.exe call in the middle of
several other events of note
55. Resources - 1
SANS SIFT Workstation 3.0 Download
http://digital-forensics.sans.org/community/downloads
SANS SIFT Workstation Blog
http://digital-forensics.sans.org/blog/category/sift-workstation
SANS SIFT Workstation YouTube series
https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A
Super Timeline Creation Cheat Sheet
http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident-
response-log2timeline-timeline-cheatsheet.pdf
Timeline Colorization Template Instructions
http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-
timeline-template-for-log2timeline-output-files
56. Resources - 2
Mandiant Redline Download
https://www.mandiant.com/resources/download/redline
Example: Use the Mandiant Redline memory analysis tool for threat assessments
http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis-
tool-for-threat-assessments
Kevans.infosec@gmail.com
http://csc-hub.com/what_the_heck.pdf