Many Labs 5: Testing Pre-Data-Collection Peer Review as an ...
BRIMOR LABS LIVE RESPONSE COLLECTION or
Transcript of BRIMOR LABS LIVE RESPONSE COLLECTION or
BrianMoranDigitalStrategyConsultant-BriMorLabs
Millersville,Maryland
28OCTOBER2015
BRIMORLABSLIVERESPONSECOLLECTION
or…
HowtoLeverageIncidentResponseExperienceforFREE!!
ABriefListofTopics
• Glanceintothelifeofanincidentresponder• “CanIdothisbeNer,faster,stronger?”– (Allright,notstronger.Justinaneasierway.)
• OverviewofLiveResponseCollecXon• QuesXons/Comments
BriMorLabs-2015
TheIntroductoryIntroducXon• Hello,mynameisBrianMoran– HiBrian!
• 13+yearsAirForceAcXveDuty– 10yearsmobileexploitaXon/DFIRexperience
• Co-winner:UnofficialForensic4CastAwards2012--BestPhotoshopofLeeWhieield
• Workedhere….
BriMorLabs-2015
TheIntroductoryIntroducXon
BriMorLabs-2015
TheLifeofanIncidentResponder
• DigitalForensics/IncidentResponse(DFIR)ishowIdecidedtopaythebills.
• FirstruleofincidentresponseisalwaysexpecttheEXACToppositeofwhataclienttellsyou
BriMorLabs-2015
BriMorLabs-2015
TheLifeofanIncidentResponder
• Forexample,clientstypicallyseeIncidentResponderslikethis
BriMorLabs-2015
TheLifeofanIncidentResponder
BriMorLabs-2015
TheLifeofanIncidentResponder
• Orthis
BriMorLabs-2015
TheLifeofanIncidentResponder
TheLifeofanIncidentResponder
• SoweareimmediatelyheldtohighexpectaXons.
BriMorLabs-2015
BriMorLabs-2015
TheClientisalwaysright*
• Howtheclientmakestheirnetworkinfrastructuresound.
*fromacertainpointofview
BriMorLabs-2015
TheLifeofanIncidentResponder
BriMorLabs-2015
TheLifeofanIncidentResponder
• Actualundoctoredphotoofnetworkinfrastructure
BriMorLabs-2015
TheLifeofanIncidentResponder
BriMorLabs-2015
TheLifeofanIncidentResponder
• ThisleadstomostDFIRprofessionalsfeelinglikethis.
BriMorLabs-2015
TheLifeofanIncidentResponder
Don’tbelievemarkeXnghype
• “Oh,wespent$$$on$Vendorproduct,sowearesafe”
• Any“tool”,regardlessoftheprice,issXlla“tool”
BriMorLabs-2015
SimplyPut:Doingthis
BriMorLabs-2015
BriMorLabs-2015
Doesnotequalthis:
BriMorLabs-2015
BriMorLabs-2015
Useone…don’tbeone!
BriMorLabs-2015
Useone…don’tbeone!
BriMorLabs-2015
Remember,aNackersareclevertooAKA“Hidinginplainsight”
• Haveyoucheckedlatelytomakesurenothingelseisinthatyourexpensivecybersecuritytoolfolder?
BriMorLabs-2015
BriMorLabs-2015
Remember,aNackersareclevertooAKA“Hidinginplainsight”
BriMorLabs-2015
– FolderisprobablywhitelistedfromsecurityapplicaXonscans…whichisperfectformalwarestaging
– CouldalsobeaNackerswithasenseofhumorJ
Whatdowewanttocollect?
• Asmuchdataaspossibletohelpfigureouttheissue
• Whatis“normal”?Whatisnot“normal”• Wheredowestart?
• Whatisyourincidentresponseprocess?
BriMorLabs-2015
Whattocollect?• Logsareagreatresource– Youdohaveloggingenabled,right?J
• AcXvenetworkconnecXons• Memory• CommonareasandtechniquesthataNackers/badactorscommonlyuse– Autoruns– %TEMP%– Rootdirectory– Atjobs(yup.SXlleffecXve!)
BriMorLabs-2015
CanWeBuildThis?YesWeCan!• ManyXmeswehavetocollectdatafrommulXplesystems,asquicklyaswecan
• Sometoolsexisttodothis,butIwantedsomethingthatwas– Repeatable– Portable– Customizable– Easytouse
– Andmostimportantly….FREE!!! BriMorLabs-2015
LiveResponseCollecXon• Asingle,downloadable.zipfilethatcanberunfromany
locaXon– AdministraXveprivilegesallowsmorecollecXonofdata,butnotnecessary
• MajoroperaXngsystemsarecurrentlycovered– Windows(XP,Vista,7,8,10,Server2003,2008,2012)– OSX– Unix/Linux
• DevelopmentonallplaeormsisalwaysconXnuing• hNps://www.brimorlabs.com/Tools/LiveResponse.zip
BriMorLabs-2015
*nixLiveResponse
• Collectsvariousdatafrom*nixsystems,including:– Loggedinusersonthesystem– Runningprocessesonthesystem– Loadedkernelextensions– Memoryusageofrunningprocesses– .bash_history(peruser)– currentnetworkconnecXons
BriMorLabs-2015
*nixLiveResponse(cont.)
BriMorLabs-2015
• Exampleofoutputfrom“lsof_network_connecXons.txt”
OSXLiveResponse
• InformaXonaboutOSXLiveResponse,including:– Loadedkernelextensions– .bash_history(foreachuser)– WificonnecXons– User/SystemLaunchAgents– User/SystemLaunchDaemons– ApplicaXonLogInItems
• ***Moreupdatescomingbeforetheendtheyear!!
BriMorLabs-2015
OSXLiveResponse(cont.)
BriMorLabs-2015
• Exampleofoutputfrom“DNS_ConfiguraXon.txt”
WindowsLiveResponse
• CollecXonofbuilt-insystemcommandsandfreelyavailabletools– Automatedmemorydump,gatewayARPcorrelaXon,networkconnecXons,registryentries,Sysinternals,etc.
• TheexecutablepresentsaneasytounderstandGUI,soANYONEcanuseit!
BriMorLabs-2015
WindowsLiveResponse
• SixopXonstochoosefrom:– Complete• runsComplete_Windows_Live_Response.bat
– MemoryDump• runsMemory_Dump_Windows_Live_Response.bat
– Triage• runsTriage_Windows_Live_Response.bat
BriMorLabs-2015
WindowsLiveResponse(cont.)• SixopXonstochoosefrom:– SecureComplete
• runsSecure-Complete_Windows_Live_Response.bat– SecureMemoryDump
• runsSecure-Memory_Dump_Windows_Live_Response.bat– SecureTriage
• runsSecure-Triage_Windows_Live_Response.bat
• GUIisjustanHTMLapplicaXon,soyoucancustomizethebatchscripts(notthenames)andtheGUIwillsXllwork!
BriMorLabs-2015
WindowsLiveResponse(cont.)
BriMorLabs-2015
CompleteopXon• Completeperformsthefollowingitems:
– MemoryDump(usingBelkasouRAMCapture)– VolaXledata(usingvarietyoftools)– Diskimaging(usingFTKcommandline)
• Diskimagingimagesallmounteddrives,withtheexcepXonofnetworkshares– Imageswillonlybecreatediftoolisrunfromanexternal(non-OS)drive(ieCan’trunitfromC:)
– AlsoperformsdesXnaXonfreespacecheckpriortoeachimagingiteraXon
Processing2medependsonnumberandsizeofdrives
BriMorLabs-2015
MemoryDumpopXon
• Memorydumpperformsthefollowingitems:– MemoryDump(usingBelkasouRAMCapture)– VolaXledata(usingvarietyoftools)
• Memorydumpcanbecreatedusingothertoolstoo,butIpreferBelkasouRAMCapture
Processing2medependsonsizeofmemory(15-30minutesusually)
BriMorLabs-2015
TriageopXon
• Triageperformsthefollowingitems:– VolaXledata(usingvarietyoftools)
• UsesacombinaXonofbuilt-inWindowscommandsandthirdpartytoolstogatherdata
Processing2medependsonamountofdatatobecollected(5-15minutesusually)
BriMorLabs-2015
“Secure”opXons
• SecureopXonisusedwhenyouwanttoprotectcollecteddata(Complete,MemoryDump,Triage)– Randomlygenerated16characterpassword– Uses7ziptocompressandencryptthedata– Sdeleteusedtosecurelydeletedata–makesdatarecoveryverydifficult(*Iwillneversayimpossible)
Remembertocopythepassword.Withoutthepassword,bruteforcingthedataistheonlywayin!
BriMorLabs-2015
WindowsLRCfolderstructure
• ThefolderstructurehaschangedtogiveusersminimalpresentaXon– Thisalsomakesfindingthecollecteddataeasier
BriMorLabs-2015
WindowsLRCfolderstructure
BriMorLabs-2015
Windows_Live_Response/Scripts
• ThisfoldercontainsallsixversionsofthescriptsthatarerunbytheLiveResponseCollecXon– Youcaneditthecontentsofthescriptsandruncertaintools(oraddtools)aslongasyoufollowthestructureanddonotchangethenameofthescript!
BriMorLabs-2015
Windows_Live_Response/Scripts
BriMorLabs-2015
Windows_Live_Response/Scripts/WindowsModules
• Thisfoldercontainsallofthe“modules”uXlizedbythebatchscripts– Sincetheysharesomuchcode,onlyhavingtomaintainoneiteminsteadofsixismucheasier
– MakescustomizaXonofLRCforyourownenvironmentevenEASIER!!
– BlogpostonwriXngyourownmodule:hNp://www.brimorlabsblog.com/2015/09/introducing-windows-live-response.html
BriMorLabs-2015
BriMorLabs-2015
Windows_Live_Response/Tools
• Thisiswhereallofthethirdpartytoolsaresaved.– Thefile“Windows_Complete_Tool_List.xslx”listsalloftools,downloadableURL,anddatethetoolwasupdated
– Youcanaddyourowntools,butifyoudo,remembertoupdatethescript(s)accordingly!
BriMorLabs-2015
LiveResponseCollecXonWindowsoutput
• ANemptedtogiveuserguidanceasmuchaspossible– Ifsomethingmaytakeawhile,thescriptprintsanicemessagetothescreen
– Triestobeas“polite”aspossible!
BriMorLabs-2015
LiveResponseCollecXonWindowsoutput
Scriptoutput• Scriptsavesdatatoafolderwiththecomputernameanddate/Xmestampunderthefolderfromwherethescriptwasrun
• Twofoldersandtwotextfiles– “ForensicImages”– “LiveResponseData”– COMPUTERNAME_YYYYMMDD_HHMMSS_File_Hashes.txt
– COMPUTERNAME_YYYYMMDD_HHMMSS_Process_Details.txt
BriMorLabs-2015
Scriptoutput
BriMorLabs-2015
COMPUTERNAME_YYYYMMDD_HHMMSS_File_Hashes.txt
• TextfilecontainingtheMD5andSHA256ofeverycollected/generatedfileandthefullpathtothatfile– Excludes“DiskImage”folder– Butdoesincludememorydump,ifcreated
BriMorLabs-2015
COMPUTERNAME_YYYYMMDD_HHMMSS_File_Hashes.txt
BriMorLabs-2015
COMPUTERNAME_YYYYMMDD_HHMMSS_Processing_Details.txt
• “Logging”textfilecontainingeachcommandthatwasrunbythescriptand(ifpresent)anyerrormessagesfromrunningthatcommand
BriMorLabs-2015
BriMorLabs-2015
“ForensicImages”folder
• LocaXonwhereforensicimagesarestored
– “DiskImage”–locaXonofdiskimagescreatedbythescript(ormanually)
– “Memory”–locaXonofmemorydumpscreatedbythescript(ormanually)
BriMorLabs-2015
“ForensicImages”folder
BriMorLabs-2015
“ForensicImages/DiskImage”folder
• The“Complete”opXonwillstorecreatedimage(s)inthisfolder– UsesAccessData’sFTKImagercommandlinetocreateanE01image,withacompressionlevelof“4”andfragmentsizeof4096M(4GB)
– Built-incheckstoprohibitautomatedimagingoftheOSdrivetoitself
– ImagesALLmounteddrives(exceptnetworkshares)• WillnotimagethedesXnaXondrive
– Built-incheckstoensuredesXnaXondrivehasenoughfreespaceforimage
BriMorLabs-2015
“ForensicImages/DiskImage”folder
• Thissystemhada“C”and“E”drivethatwasimaged
BriMorLabs-2015
“ForensicImages/Memory”folder
• The“Complete”and“MemoryDump”opXonwillstorecreatedmemorydumpinthisfolder– UsesBelkasou’sRamCapturetocreateamemorydump– Filename:“COMPUTERNAME_YYYYMMDD_HHMMSS_mem.dmp”
• Youcancustomizeanduseothertoolsifyoulike,butI’vehadthebestexperiencewithBelkasou
BriMorLabs-2015
“LiveResponseData”folder
• Containsatotaloffivesubfolders
– “BasicInfo”–VarioustypesofsystemInformaXon– “CopiedFiles”–Filescopiedfromthesystem– “NetworkInfo”–NetworkinformaXonaboutthesystem
– “PersistenceMechanisms”–Waysthatitemscanpersistonthesystem(coughcoughmalware)
– “UserInfo”–UserinformaXon
BriMorLabs-2015
“LiveResponseData”folder
BriMorLabs-2015
BriMorLabs-2015
“LiveResponseData\BasicInfo”folder
• ContainsprimarilysysteminformaXon,including:– AlternateDatastreams– Hashesoffilesin%Temp%(UserandSystem)andSystem32folder
– LastAcXvityView– PsLoglist– RunningProcesses– PossibleUnicodefiles/directories
BriMorLabs-2015
“LiveResponseData\BasicInfo”folder
BriMorLabs-2015
“LiveResponseData\CopiedFiles”folder
• Containsfilescopiedfromthesystem,including:– Webbrowser(InternetExplorer,Firefox,Chrome)– EventLogs– Logfile– MFT– Prefetch– RegistryHives– USNJrnl
NOTE:Filescopiedintofolderassociatedwiththetypeoffilethatwascopied
BriMorLabs-2015
“LiveResponseData\CopiedFiles”folder
BriMorLabs-2015
“LiveResponseData\NetworkInfo”folder
• ContainsprimarilynetworkrelatedinformaXonincluding:– ARP– Cports– InternetSezngs– Netstat– RouXngtable
BriMorLabs-2015
“LiveResponseData\NetworkInfo”folder
“LiveResponseData\PersistenceMechanisms”folder
• ContainsinformaXonrelatedtopersistencemechanismsonthesystemincluding:– Autoruns– Loadeddrivers– Scheduledtasks
NOTE:MoreoNenthannot,ifyouhaveaninfectedsystem,youwillfindtheevidenceinhere
BriMorLabs-2015
“LiveResponseData\PersistenceMechanisms”folder
BriMorLabs-2015
“LiveResponseData\UserInfo”folder
• ContainsinformaXonrelatedtousersofthesystem,including:– Logons– LisXngofusers– CurrentUser
BriMorLabs-2015
Whatyouseeiswhatyouget
• Scriptoutputisplain-textorhtml.NouniqueobfuscaXonaNemptsorproprietaryfileformats– Memorydump,diskimage(s),andcopiedfilesareobviousexcepXons
• Canwrite/createyourownparsingmechanism
BriMorLabs-2015
Examplesofgathereddata
• ZeroAccessandPOSRAMscraperpresentinCurrentVersion\Runoutputfromautoruns
BriMorLabs-2015
Examplesofgathereddata
BriMorLabs-2015
Examplesofgathereddata
• Poweliksmalwarepresentinautorunsoutput– MalwareisstoredenXrelyinregistrykey,itdoesnot“writeitselftodisk”inatypicalfashion
BriMorLabs-2015
Examplesofgathereddata
BriMorLabs-2015
ShortCaseStudy
• Ausercomplainstheirsystemisrunningslow
• ITadminruns“Complete”versionoftheLiveResponseCollecXon…justincase
• Events(sortof)occurinrealXme
BriMorLabs-2015
ShortCaseStudy
• Firststopis“autorunsc.txt”file.Strangeentrynotedunderthe“CurrentVersion\Run”path.
BriMorLabs-2015
ShortCaseStudy
• “msofficeservice”kindofseemslegiXmate• Hmm..maybenot,sincethecompanyis“GoogleLabs”
BriMorLabs-2015
ShortCaseStudy
• Sincewehavethehashes,letsdoaquickGooglesearch
BriMorLabs-2015
BriMorLabs-2015
ShortCaseStudy
• Filedetectedasmaliciousbyvirustotal– 23/45backin2012
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
ShortCaseStudy
• Sincewehavethediskimage,let’scheckoutthefolderwheretheexecutableresides
ShortCaseStudy
• WecanmounttheimageusingFTKImagerLite(includedintheLiveResponseCollecXon)
• Browseto“Windows_Live_Response\Tools\FTK_Imager_Lite_3.1.1”andrun“FTKImager.exe”
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
ShortCaseStudy
• Select“File”
BriMorLabs-2015
ShortCaseStudy
• Select“AddEvidenceItem”
BriMorLabs-2015
ShortCaseStudy
• SelectSourceboxpopsup
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
BriMorLabs-2015
ShortCaseStudy
• Select“ImageFile”
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
ShortCaseStudy
• Click“Next>”
BriMorLabs-2015
ShortCaseStudy
ShortCaseStudy
• SelectFileboxpopsup
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
ShortCaseStudy
• Click“Browse”andbrowsetosourcepath– BesuretoselectE01file,notE01.txtfile
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
BriMorLabs-2015
ShortCaseStudy
• Click“Finish”
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
ShortCaseStudy
• Navigatetopathofinterest
• “C:\Users\Win7-BML\AppData\Local\msoffice”
BriMorLabs-2015
ShortCaseStudy
ShortCaseStudy
• Twofiles– msofficeservice.exe– winrnfsl32.dll
• Maybethedllisneededbytheexe.WecanlookatitinthehexeditorpaneinFTKImager
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
ShortCaseStudy
• Uhoh!!ThatlooksalotlikealogfilewindowXtlesandkeystrokes!!
– HINT:Itisexactlythat
BriMorLabs-2015
ShortCaseStudy
• NicelyformaNedkeyloggerfile
BriMorLabs-2015
ShortCaseStudy
BriMorLabs-2015
ShortCaseStudy
– BonuspointsforyouifyoucantellwhatIwasdoingonthelastentry!
BriMorLabs-2015
BriMorLabs-2015
ShortCaseStudySummary
• WeidenXfiedastrangefilethankstotheoutputofautoruns
• Searchingforthehashdeterminedthefilewasmalicious
• Aquickcheckofthefolderrevealsnotonlyisthefilemalicious,itisactuallyakeylogger
BriMorLabs-2015
BONUS:CanusebuatapatoaccomplishVirusTotallookups
• buatapaisasmallPythonscript(basedheavilyonBrianBaskin’snoriben)toparseautorun.csvfilesgeneratedbyautoruns– Pointscriptatautorunscsvfileandletitrun
– ANemptstofindVirusTotalhits,strangeUnicodecharactersinpaths,andentriessimilartopowileks
• hNp://www.brimorlabsblog.com/2015/08/publicly-announcing-buatapa.html
BriMorLabs-2015
buatapaconsoleoutputexample
BriMorLabs-2015
buatapatextoutputexample
BriMorLabs-2015
BriMorLabs-2015
ChecklistsforeachOS!
• AchecklistisincludedforeachoperaXngsystem– CreatesstarXngplacefor“what”tocollect
• Youcanputyourcompanylogoatthetop…
• …AndyounowhaveanincidentresponsecollecXonplanforeachoperaXngsystem!
BriMorLabs-2015
BriMorLabs-2015
Whyfree?!?!• BecauseitsavesyourbusinessXme,money,andresources!
• How?– IniXaldatagatheringcanhelpyourevealproblemswithouttheneedforexternalconsulXng
– Ifyouwantexternalhelp,providingalreadygathereddatacanexpediteincidentresponselifecycle
– Scriptscollectdatafrom“common”areasincidentresponders/digitalforensicanalystslookatfirst
– IfscriptscanhelpDFIRconsultantremotelydiagnoseissueremotely,noneedtopaytravel,lodging,incidentals,etc.costs
BriMorLabs-2015
QuesXons?
ContactUs!Email:[email protected]
Phone:443.834.8280Website:www.brimorlabs.comBlog:www.brimorlabsblog.com
TwiNer:@BriMorLabs
@brianjmoran
BriMorLabs-2015