Cyber Incident Response & Digital Forensics Lecture

Cyber Incident Response & Digital

Forensics Lecture

NCC Group Cyber Defence Operations

NCC Group Cyber Incident Response

Agenda

Non Law Enforcement Agency Use of DFIR Tools

DFIR Tools in a Cyber Security & Incident Response Context

BREAK

Open Source & Free DFIR Tools

Memory Forensics

eDiscovery

10 minute comfort / tea break

Before we begin… Who is NCC?

• 110 million GBP revenue FTSE company

• Cyber Security Assurance Practice

• > 200 UK technical assurance consultants

• applied research (.gov.uk / .co.uk)

• technical security assessments

• cyber incident response / operations

• 50 UK risk / audit consultants

• > 2000 US technical assurance consultants

• Escrow & Software Assurance = sister BUs

Acronyms

Acronyms

LEA – Law Enforcement Agency

ACPO – Association of Chief Police Officers (UK)

DFIR – Digital Forensics and Incident Repose

CIR – Cyber Incident Response

CDO – Cyber Defence Operations

IoT – Internet of Things

BAU – Business As Usual

OSINT – Open Source Intelligence

HUMINT – Human Intelligence

TI – Threat Intelligence

Acronyms

ICT – Information and Communications Technology

APT – Advanced Persistent Threat

IOC – Indicator of Compromise

DRM – Digital Rights Management

OS – Operating System

FS – File System

FPC – Full Packet Capture

IDS – Intrusion Detection System

IPS – Intrusion Prevention System

AV – Anti-Virus

C2 – Command and Control

Recap LEA Digital Forensics


Mission: Understand and ultimately successfully prosecute a

criminal for a crime.

Requirements:

• Chain of custody

• Proof best practice was followed

• Proof reputable tools were used

• Proof skilled personnel were used

• Proof reputable personnel were used

• Proof a crime was committed

• Proof linking an individual or

group to said crime


Typical process for equipment / devices:

• Physical acquisition of hardware

• Duplication of source media (with write blockers)

• Extraction

• Time lining

• Analysis

• Illegal material (hashes often in the case of images)

• Illegal activity


Typical process for cloud / hosted services:

• Suspect identified

• Court order

• Lawful access or lawful assistance order to service provider

• Logs (meta data) and / or content supplier

• Time lining

• Analysis

• Cross reference with physically acquired data


Considerations for equipment / devices:

• Making sure they don’t lock

• Making sure they aren’t shutdown

• Crypto

• Lost opportunity to use FireWire and similar for acquisition

• Making sure you get everything with a browser / than can run apps

• BluRay Players

• Games Consoles

• etc (aka hard nowadays)


Considerations for cloud / hosted services:

• Jurisdiction of provider

• Their lawful assistance requirements (i.e. which courts do they

recognize)

• What information they’ll likely hold


Typical tools

etc..


Example:

Digital Forensics Policy and Procedure for West Yorkshire

References:

ACPO Guidelines which is based on four principals


But ACPO guidelines are not just followed by the Police

Source: http://www.nottinghamshirehealthcare.nhs.uk/EasySiteWeb/GatewayLink.aspx?alId=15004

http://www.nottinghamshirehealthcare.nhs.uk/EasySiteWeb/GatewayLink.aspx?alId=15004


LEAs by their nature exercise extreme care and diligence

Conjecture and thus short cuts have no place

They are facing a near impossible problem in relation to scale,

complexity and rate of change leading to focus on only on

highly organized or impactful cyber crimes

Lots of crimes involve a digital element even when the crimes is

non cyber (i.e. kidnap etc.)

Non Law Enforcement Use of DFIR Tools


Lots of organizations don’t want to involve law enforcement or

ever take a case to court. Reasons may include:

• Feel the likelihood of prosecution is low / no desire to prosecute

• Cyber security incidents are a business as usual event

• Don’t want to be slowed down by chain of evidence requirements

• Want to resume service / get back to BAU as quick as possible

• Secrecy, privacy and liability concerns

• Sophistication of the attack

• Internal HR matter

… other


So what types of organizations are we talking about?

Most large organizations

if they are mature / sophisticated enough to detect they have been

hacked they are likely mature enough to either have internal teams or

external providers (such as NCC Group) who use DFIR like

techniques.


What do they want to know?

• What was hacked, compromised, stolen, accessed, looked at etc.

• By whom (caution: attribution is hard!)

• When

• How

• Impact (technical and business)

• Likely motives

• Capabilities

• Remediation steps

• Future mitigation to avoid repeats

• Liability


Well some times…

Knowing what you have lost may mean you

have a ‘disclosure issue on your hands’..

simply knowing what you lost was encrypted

may be the ideal outcome


Types of scenarios – Employees / Contractors etc.

• Employee accessed inappropriate but not illegal internet material

• Employee accessed internal data they were not authorised to

• Employee committed an internally focused financial crime

• Employee disclosed intellectual property to an unauthorised third

party

• Employee is soon to depart and stole intellectual property for

personal benefit

• Employee used work resources

for personal enterprise

• Other disciplinary issue..


Types of scenarios – External Threat Actors

• Malicious phishing / spear phishing e-mails sent into an

organization

• Malicious code present on a system

• Credentials compromised

• Host, System, Network was compromised

• Data was stolen / exfiltrated (taken out)

• Data was changed

• Data was added

• Theft / fraud

• Mobile devices tampered with (evil maid)


This sounds scary scale right?

But it happens every day

in most organizations of a moderate size you’d expect at least one

such incident a day/week (you pick) if you could detect them all.


The good news?

A growing army of professionals

researchers, developers and practitioners working together sharing

knowledge, tools and intelligence …


The bad news?

Technical evolution speed and

improving security

DRM, encryption, platform security, sandboxes, code signing and the

rate at which technology is changing plus diversifying computing base

(cloud / IoT / embedded) all present challenges to forensics


So how do we approach this in the real-world?

We normally start with a suspicion or indicator

of compromise

knowing there is something to be found versus aimlessly looking for

something that might not be there leads to a more focused approach


We do a lot of work at the logical acquisition layer due to the

data volumes we now deal with. Why?

• Doing bit by bit copies of multi terabyte systems are slow and

challenging in a lot of cases.

• We don’t need to in a lot of cases as we know where we want to

look to confirm suspicions (generally).

• We are interested a lot of the time in rich data sources rather than

looking for one elusive deleted file

• Attacks/threat actors are often sloppy


There are different types of forensics and analysis which

support each other which are often used


Why types of tools do we commonly use?

• Data Acquisition (i.e. copying / dumping / extracting etc.)

• Disk Forensics (searching, carving, time lining)

• Memory Forensics (interpreting, analyzing)

• Network Forensics (capturing, processing, alerting)

• Time lining (plotting the course of events)

• Data searching (ability to search for ad-hoc thing)

• Data matching (ability to search for known bad)

• Data visualization (show you)

• Malware analysis (further understand)

• OS / development tools and utilities

DFIR Tools in a CIR Context

Firstly: What is Cyber?

A word people understand to encompass all facets of

technology use with regards to security and resilience.

Originally adopted by the military but now a word understood in

boardrooms as the thing that isn’t easy but should be a

concern..

Secondly: A Very Typical Scenario



DFIR Tools in This Cyber Context

5pm on Friday afternoon the phone rings… you get told:

“we had a support call from someone in R&D their Windows

machine was behaving oddly. We ran AV it didn’t find anything

but after our latest cyber briefing from a competitor we think we

may have been targeted by a sophisticated threat actor can

come and have a look?”


7pm you are at the client… on a Friday evening … you get told:

“we don’t want to involve law enforcement we simply want to

know if we have been compromised, if we have what were they

likely after and how sophisticated are they?”

You clarify with them the need not to maintain chain of custody

which they confirm.


Stage 1: Network Sensor Deployment

Client has no IDS/IPS or FPC capabilities.. So you deploy a FPC node

at the Internet ingress / egress point so that

1. Full packet captures are produced for the next two weeks

2. IOC signature can be deployed to detect known threats

3. Provide a platform upon which custom IOC signatures can be

deployed as the investigation continues


Stage 2: Network Log Acquisition

You work with the I.T. team to acquire logs from as far back as

possible:

1. Firewalls

2. Proxy Servers

3. DNS

4. DHCP

5. VPN

6. Webmail and other internet facing systems

7. Windows Domain Controllers

8. Inbound content AV scanners


Stage 3: Live Host Acquisition

Before turning off Patient 0:

1. Dump RAM (all of the below will be here but we also do it live)

2. Dump process list including models

3. Dump kernel drivers loaded

4. Dump session information

5. Dump active network connections

6. Dump event log

7. Copy key files to removable media

tip: try to dump to a remote host or

removable media


Stage 4: Review Captured Network Sensor Data and Patient 0

Review the logs of the network sensors for any suspicious activity

between Patient 0 and the internet during live host acquisition.

Look at the captured data from Patient 0 for any indicators of

compromise (rootkit like behaviour, weird services, things running with

abnormal privileges)

Now you have a choice:

1. Turn off and store Patient 0

2. Keep it running and monitor heavily


You observe in the captured data

1. Network connection to Jersey which you know to be a nation state

with formidable cyber espionage capabilities

2. A large stash of files in the recycle bin which was nothing to do

with the R&D department

3. A new kernel driver which on the face of it appears to come from

Microsoft but in actual fact is signed by a Swiss electronics

manufacturer from whom you have no hardware

4. A repackaged version of VNC running as SYSTEM but with

reverse tunnel support


is the client compromised?

of course they are..


You next

1. Dump the e-mails received by the person in R&D on the date the

driver and new VNC files were installed

2. You find 50 attachments received that day

3. You find 20 were received from external sources

4. You submit the SHA1 hashes for the 20 attachments to VirusTotal

5. You the 20 attachments in a deployment of Cuckoo sandbox with

matching software configuration

6. One exhibits odd behaviour


You next

1. Query all the machines on the network for the same repackaged

VNC and new kernel driver

2. Develop a signature to alert on hosts connecting to the IP address

in Jersey

You find connections from the domain controllers, finance, HR and the

CEO to the IP


is the client really badly compromised?

of course they are..


it’s now 7pm on Sunday


So what have we done from a DFIR perspective?

1. Client had a suspicion

2. We used our experience to look for things out of place

3. We deployed new capability to provide us better insight

4. We captured what was available from host and network already

5. We started building a time line

6. We analysed what we had

7. We found the threat actor

8. We found out where else they were

9. We found sample of data they took


clean up begins..

.. staff are educated about phishing

Break



SANS Investigative Forensic Toolkit (SIFT)

Linux based VM with a huge collection of tools for acquisition and

analysis

http://digital-forensics.sans.org/community/downloads

http://digital-forensics.sans.org/community/downloads


The Sleuth Kit & Autopsy

http://www.sleuthkit.org/

http://www.sleuthkit.org/


FTK Imager

http://accessdata.com/product-download

http://accessdata.com/product-download


National Software Reference Library

Known good hashes for software so they can be excludedf rom

analysis

http://www.nsrl.nist.gov/

http://www.nsrl.nist.gov/


Volatility

Defacto open source memory forensics tool

Windows, Mac and Linux support

http://www.volatilityfoundation.org/

http://www.volatilityfoundation.org/


Mandiant Redline

https://www.mandiant.com/resources/download/redline


NetworkMiner

http://www.netresec.com/?page=NetworkMiner


WireShark

https://www.wireshark.org/


Cuckoo Sandbox

http://www.cuckoosandbox.org/about.html


Yara

http://plusvic.github.io/yara/


RegRipper

https://regripper.wordpress.com/


NirSoft Utilities

Too many wonderful features to list…

http://www.nirsoft.net/


Microsoft Sysinternals

Some highlights

• Process Explorer

• Process Monitor

https://technet.microsoft.com/en-gb/sysinternals/bb545021.aspx


Bulk Extractor

https://github.com/simsong/bulk_extractor


Log2timeline / Plaso

http://plaso.kiddaland.net/usage/log2timeline

Memory Forensics

Memory Forensics

What is memory forensics?

In short the reconstruction from typically a physical RAM dump

a representation of the system that was running at the time that

can be queried and otherwise interrogated as part of a forensics

exercise.

It allows us to capture transient or ephemeral aspects such as

some aspects of screen layout or connections and other non

persisting malware / exploits

Memory Forensics

How does it work?

Dump physical contiguous RAM

OR get hibernation file

Then:

1. Parse the physical image for key structures for OS version

2. Rebuild kernel and user space virtual memory layout

3. Overlay OS concepts

Sounds easy.. It isn’t look at the Volatility source

Memory Forensics

What tool?

VOLATILITY

Python but binary distributions available

Open source

Plugin architecture (we wrote one – it was easy)

Awesome

Memory Forensics

Demo

eDiscovery

eDiscovery

“Electronic discovery (also called e-discovery

or ediscovery) refers to any process in which

electronic data is sought, located, secured,

and searched with the intent of using it as

evidence in a civil or criminal legal case.”

eDiscovery

eDiscovery

Source: http://www.slideshare.net/mikealsup/arma-san-antonio-02-82012

http://www.slideshare.net/mikealsup/arma-san-antonio-02-82012

eDiscovery

So what is eDiscovery in reality:

• Traditional digital forensics

• in less sophisticated / organised environments

• where data has been destroyed

• where data is distributed (e.g. mobile devices)

• Expensive specialised software

• Discovery across corporate assets

• Workflow

• Reporting

Wrapping up

Conclusions

We have only scratched the surface

Focus on:

• Being able to acquire

• Being able to analyse

• Being able to question things that are a-typical

• Being able to draw conclusions based on fact

• Being able to deal with more than porn

Europe

Manchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Milton Keynes

Amsterdam

Copenhagen

Munich

Zurich

North America

Atlanta

Austin

Chicago

Mountain View

New York

San Francisco

Seattle

Australia

Sydney