What the Heck Just Happened? An Introduction to Digital Forensics
for Incident Response
Ken Evans
Information Security Incident Response Lead Henry Ford Health Systems
CISSP, GSEC, GCFA, GCFE
[email protected] http://csc-hub.com/what_the_heck.pdf
What We’re Covering
• Introduction to Digital Forensics
• Basic memory analysis of a host with Mandiant Redline
• Intermediate file system analysis of a host with Log2timeline
We Are NOT Covering…
• Proper evidence handling procedures
• Detailed information about forensic artifacts
• About 165 tools in the SANS SIFT workstation
• The best way to scale this for a business
To Get the Most Value From This Presentation
• Don’t try to memorize the steps
• Keep a high level view and go for the concepts
• See if this looks useful or fun
• Follow-up by getting the presentation and accessing the links at the end
The Scenario
• You’re at work browsing when suddenly a popup window appears and then goes away immediately.
• You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing.
• Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine.
• A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices.
BUT…
Classical Incident Response
Preparation
Identification and Scoping
Containment / Intelligence
Gathering
Eradication / Remediation
Recovery
Follow Up / Lessons Learned
Preparation
Identification and Scoping
Containment / Intelligence
Gathering
Eradication / Remediation
Recovery
Follow Up / Lessons Learned
Incident Response with Full Intrusion Analysis
Intrusion Analysis
Memory Forensics
Timeline Analysis
File System Analysis
Data Recovery
Our Approach
Memory is VERY volatile, we need to capture it as soon as possible.
We’ll use Mandiant Redline for this.
Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make
it harder to find the entries we want.
We’ll take a disk image and create a Super Timeline for this.
Some Assembly Required
1. Examiner system (64-bit, 4 GB RAM for VMware support)
2. Installation of Mandiant Redline on the Examiner system
3. External storage, larger than memory
4. External storage, larger than the source hard drive
5. Ubuntu Desktop 14 install disc on DVD or bootable USB
6. Installation of VMware Player on Examiner system
7. Installation of SANS SIFT Workstation 3 on Examiner system
8. MS Excel or other spreadsheet program (macro compatible)
For Memory Analysis:
For Disk Image Analysis:
Mandiant Redline Overview
Malware can sometimes hide in transit or on disk, but eventually…
IT MUST EXECUTE
And to do that it needs to use…
MEMORY!
Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.
Collector Option - Acquire Memory Image
Make sure to Acquire Memory Image. Save the Collector to USB device.
Running the Redline Collector on the Subject
Run Redline from the USB device with a command line session with elevated privileges.
Time for the Subject Disk Image
We need to capture a disk image without changing or corrupting the contents.
One simple way to do this is to use Linux to read the disk.
Professionals would use a write blocker or do a live capture here, but those are more complicated or
need special equipment or software.
Note the Source Drive with lsblk
Source 30 GB drive device is /dev/sda2
Mounted external media is /media/ubuntu/FreeAgent Drive
Note: In Linux, everything is a file.
Use the dd Command to Make a Disk Image File
dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file
Analyze the Memory
• Shutdown Ubuntu / Subject system
• Hook the USB drive up to your Examiner system
• Run Mandiant Redline
Open Collected Redline Data
Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
Select the Time Stamped Audit Folder
Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.
Browse to your Collector Data
We don’t need the Advanced or Indicators of Compromise options. Click Next.
Analyze the Disk Image
• Hook the USB drive up to your Examiner system
• Launch Vmware Player
• Launch SIFT Workstation
• Make sure USB drive is readable (mounted) in the SIFT Workstation
Super Timeline Process Overview
• Unbuntu desktop live CD boot, dd command
1. Acquire Image
• Launch SIFT workstation, mount command
2. Mount image for processing
• log2timeline command
3. Create comprehensive timeline
• l2t_process command
4. Filter the timeline
• Colorize, sort, and analyze
5. Apply colorization macro
Mount the .dd Image
mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams
Execute the log2timeline Command
log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).
How to List the Time Zones
The “-z list” feature will let you see the complete list of time zones and the strings to use.
Timeline Might Take a While
Depends mostly on: • Machine speed • Disk speed • Age of machine /
size of logs
Let’s Trim it Down
The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.
l2t_process Command
l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
Output of l2t_process
This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.
Color Timeline Blog Entry
1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter
http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files
What Does the Color Template Do?
The color template will apply the following colors to rows in the timeline file.
Summary
• We used Mandiant Redline to do a quick memory analysis to find out if we had a problem
• svchost.exe was called out by Redline
• We followed it up with a more detailed file system analysis
• We found a svchost.exe call in the middle of several other events of note
Resources - 1
SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident-response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files
Resources - 2
Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis-tool-for-threat-assessments
[email protected] http://csc-hub.com/what_the_heck.pdf