Incident Response and Digital Forensics
Incident Response and Digital Forensics
Incident Response and Digital Forensics
Agenda
Host Forensics
Prefetch Analysis
ShimCache Analysis
Windows Persistence
Network Forensics
Lab: Network Traffic Analysis
Log Analysis
Lab: Log Forensic Analysis
Malware Triage
Static Analysis
Dynamic Analysis
Host Forensics
Hunt for malware through host-based artifacts
Prefetch Analysis
Examination of prefetch files may help identify:
Analysis Approach
Sort entries by Date Created
Search for suspicious binaries
The hash in the filename is a hash
of the path of execution
Multiple entries with different
hashes indicates execution from
different paths
C:\WINDOWS\1.exe
C:\WINDOWS\addins\1.exe
ShimCache Analysis
Created to track compatibility issues with executed programs
Entries are created as a result of an activity, such as browsing a directory
Does not necessarily indicate that a binary was executed
Timestamps do not indicate the time and date of binary execution
Except when an attacker uses the PsExec utility
The timestamp for PSEXESVC will reflect when the binary above it executed
Analysis Approach
In this example, C:\WINDOWS\addins\svchost.exe is a suspicious binary
The binary was likely executed using the PsExec utility on 03/01/15 at 12:01:42
Search for suspicious filenames in suspicious paths
Pivot on this data to conduct additional analysis and scope out other hosts
Last
Modified
Last
Update
Path
File
Size
Exec.
Flag
01/02/15
01:03:53
N/A
C:\WINDOWS\System32\cmd.exe
743217
N/A
03/15/12
05:21:41
N/A
58192
N/A
02/12/13
11:23:15
N/A
C:\WINDOWS\addins\svchost.exe
43939
N/A
03/01/15
12:01:42
N/A
C:\WINNT\PSEXESVC.EXE
53248
N/A
11/12/13
N/A
C:\Program Files\Internet
87234
N/A
C:\
C:\hp\
C:\wmpub\
C:\Temp\
C:\Windows\
C:\Windows\Temp\
C:\Windows\Debug\
C:\Windows\Addins\
C:\Windows\System32\
C:\Windows\SysWow64\
C:\Windows\Prefetch\
\AppData\Local\Temp\
\AppData\Roaming\
Windows Persistence
Windows Services
Windows Task Scheduler
Windows Registry
Run
Userinit
AppInit DLLs
Installed Components
Startup Folder
Active Setup
Windows Services
Services are a very common way for malware to persist on a host
Use tools like Process Hacker to receive notifications of newly installed services
Windows Services provide the following information:
Service Name
Display Name
Description
Path to Executable
Startup Type
Service Status
Meterpreter Artifacts
Attackers typically use the at command to schedule tasks over the network
Creates an At#.job file in the C:\WINDOWS\Tasks directory
Example of SchedLgU.txt
Windows Registry
We can spend hours talking about all of the different persistence points
Were not going to do that, instead, Ill provide a few useful links
Well talk about useful tools to help identify persistent binaries in the registry
Process Hacker
Windows processes
Windows Services
Network Communications
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Network Forensics
Identify malicious network traffic and anomalous activity
Bro
Tcpdump
WireShark
Network Miner
Suricata/Snort
Protocol Hierarchy
Conversations
Endpoints
I/O Graph
Analysis Approach
Whats your goal? If its to identify malicious activity, then I do the following:
Update IDS signatures with the latest set (i.e. Emerging Threats)
Run the PCAP through Suricata or Snort and analyze alerts
Log Analysis
Reconstruct an activity timeline through event correlation
Was the system compromised and when? How do you know for sure?
If it was compromised, what was the method used?
Were there more than one attacker involved? Did they all succeed or fail?
What type of attack was performed?
What is the timeline of significant events?
What do you think happened?
What would you have done to avoid this type of attack?
Malware Triage
Identify malware through binary static and dynamic analysis
Static Analysis
Scan the suspected binary with an Anti-Virus scanner
Hash the binary and search a database like VirusTotal to see if it was
previously identified
Find strings in the binary that may help provide clues about what it does
Packed and obfuscated binaries defeat this method of analysis
Identify imports and exports to get a feel for its functionality and capabilities
Advanced static analysis involves using a disassembler like IDA Pro
Requires x86/x64 assembly knowledge
Ability to recognize code constructs in assembly
Programming and operating system internals experience
md5 sample.exe
MD5 (sample.exe) = 4c754150639aa3a86ca4d6b6342820be
Detection ratio is 49/56 scanners identified it as malicious
There are several different results, all which mostly vary in name
Run strings against the binary and identify anything that appears interesting
Software\Microsoft\Windows\CurrentVersion\Run
Alina v
dwm.exe, win-firewall.exe, adobeflash.exe, desktop.exe, java.exe
firefox.exe, chrome.exe, steam.exe, skype.exe, dllhost.exe, lsass.exe
Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: close
POST, HTTP/1.1
.text
.rdata
.data
.rsrc
.reloc
Dynamic Analysis
Interact with the binary to understand how it behaves in an isolated
environment
Capture network traffic and analyze any requests that are made
DNS
HTTP
Take a snapshot of the Windows Registry before running the sample and
after
Diff the results after execution
Analyze the registry keys and files that were created
Disable sharing files between your host operating system and the virtual
environment
Ransomware can encrypt shares
Your data could be corrupted, deleted, or infected
WireShark
RegShot
FakeNet
Process Hacker