What the Heck Just Happened?

What the Heck Just Happened? An Introduction to Digital Forensics

for Incident Response

Ken Evans

Information Security Incident Response Lead Henry Ford Health Systems

CISSP, GSEC, GCFA, GCFE

[email protected] http://csc-hub.com/what_the_heck.pdf

What We’re Covering

• Introduction to Digital Forensics

• Basic memory analysis of a host with Mandiant Redline

• Intermediate file system analysis of a host with Log2timeline

We Are NOT Covering…

• Proper evidence handling procedures

• Detailed information about forensic artifacts

• About 165 tools in the SANS SIFT workstation

• The best way to scale this for a business

To Get the Most Value From This Presentation

• Don’t try to memorize the steps

• Keep a high level view and go for the concepts

• See if this looks useful or fun

• Follow-up by getting the presentation and accessing the links at the end

The Scenario

• You’re at work browsing when suddenly a popup window appears and then goes away immediately.

• You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing.

• Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine.

• A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices.

BUT…

Classical Incident Response

Preparation

Identification and Scoping

Containment / Intelligence

Gathering

Eradication / Remediation

Recovery

Follow Up / Lessons Learned

Preparation

Identification and Scoping

Containment / Intelligence

Gathering

Eradication / Remediation

Recovery

Follow Up / Lessons Learned

Incident Response with Full Intrusion Analysis

Intrusion Analysis

Memory Forensics

Timeline Analysis

File System Analysis

Data Recovery

Our Approach

Memory is VERY volatile, we need to capture it as soon as possible.

We’ll use Mandiant Redline for this.

Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make

it harder to find the entries we want.

We’ll take a disk image and create a Super Timeline for this.

Some Assembly Required

1. Examiner system (64-bit, 4 GB RAM for VMware support)

2. Installation of Mandiant Redline on the Examiner system

3. External storage, larger than memory

4. External storage, larger than the source hard drive

5. Ubuntu Desktop 14 install disc on DVD or bootable USB

6. Installation of VMware Player on Examiner system

7. Installation of SANS SIFT Workstation 3 on Examiner system

8. MS Excel or other spreadsheet program (macro compatible)

For Memory Analysis:

For Disk Image Analysis:

Mandiant Redline Overview

Malware can sometimes hide in transit or on disk, but eventually…

IT MUST EXECUTE

And to do that it needs to use…

MEMORY!

Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.

Creating a Redline Collector

Create a “Standard Collector” from Redline on your Examiner system.

Collector Option - Acquire Memory Image

Make sure to Acquire Memory Image. Save the Collector to USB device.

Running the Redline Collector on the Subject

Run Redline from the USB device with a command line session with elevated privileges.

Collector Can Take a While

Depends mostly on: • Machine speed • RAM size • Disk speed

Time for the Subject Disk Image

We need to capture a disk image without changing or corrupting the contents.

One simple way to do this is to use Linux to read the disk.

Professionals would use a write blocker or do a live capture here, but those are more complicated or

need special equipment or software.

Boot Ubuntu Live CD on Subject System

Launch a Terminal Session

Escalate to Super User

Note the Source Drive with lsblk

Source 30 GB drive device is /dev/sda2

Mounted external media is /media/ubuntu/FreeAgent Drive

Note: In Linux, everything is a file.

Use the dd Command to Make a Disk Image File

dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file

Image Can Take a While

Depends mostly on: • Machine speed • Disk size • Disk speed

Analyze the Memory

• Shutdown Ubuntu / Subject system

• Hook the USB drive up to your Examiner system

• Run Mandiant Redline

Open Collected Redline Data

Click on upper-left “R” symbol for menu, and select Analyze Collected Data.

Browse to your Collector Data

Browse to the Collector data on the USB device.

Select the Time Stamped Audit Folder

Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.

Browse to your Collector Data

We don’t need the Advanced or Indicators of Compromise options. Click Next.

Hurry Up and Wait

No time for movies, though!

Select the Full Live Response Option

Review the Processes

Closer Examination of svchost.exe

MRI Report for svchost.exe - 1

MRI Report for svchost.exe - 2

Analyze the Disk Image

• Hook the USB drive up to your Examiner system

• Launch Vmware Player

• Launch SIFT Workstation

• Make sure USB drive is readable (mounted) in the SIFT Workstation

Super Timeline Process Overview

• Unbuntu desktop live CD boot, dd command

1. Acquire Image

• Launch SIFT workstation, mount command

2. Mount image for processing

• log2timeline command

3. Create comprehensive timeline

• l2t_process command

4. Filter the timeline

• Colorize, sort, and analyze

5. Apply colorization macro

SIFT Workstation 3.0

Escalate your Privileges to Super User

Mount the .dd Image

mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams

Optional: Verify the Mount

Execute the log2timeline Command

log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).

How to List the Format Options

How to List the Time Zones

The “-z list” feature will let you see the complete list of time zones and the strings to use.

log2timeline Sample Run

Timeline Might Take a While

Depends mostly on: • Machine speed • Disk speed • Age of machine /

size of logs

Let’s Trim it Down

The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.

l2t_process Command

l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)

l2t_process Command

l2t_process Command

Output of l2t_process

This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.

Color Timeline Blog Entry

1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter

http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files

What Does the Color Template Do?

The color template will apply the following colors to rows in the timeline file.

Look What We Found!

Log2timeline Command Format

Summary

• We used Mandiant Redline to do a quick memory analysis to find out if we had a problem

• svchost.exe was called out by Redline

• We followed it up with a more detailed file system analysis

• We found a svchost.exe call in the middle of several other events of note

Resources - 1

SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident-response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files

Resources - 2

Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis-tool-for-threat-assessments

[email protected] http://csc-hub.com/what_the_heck.pdf