DFIR – Notes for my transition

So I’ve been doing security assessments and pentesting for a number of years now, and have decided to start focusing more on the digital forensics and incident response aspects, while using them to complement my active testing efforts. This page is for my notes as I start plowing through all the material I can get my hands on.

Fast forensics – When you can’t image the drive

• Grab memory image
• Grab hibernation file
• Grab page file
• Grab registry hives
• Grab event logs
• Grab the Master File Table
• File listing with md5 hashes

Memory acquisition on virtualised platforms

• VMWare = .vmem file
• MS Hyper-V = .bin file
• Parallels = .mem file
• VirtualBox = .sav file (partial)

Memory analysis process:

• Identify rogue processes
  • Analyse processes
    • Legitimate process?
    • Name spelled right?
    • Fits with system context?
  • Full path
    • Is the process executable in the usual place?
    • Is it running from user or temp directories?
  • Parent process
    • Is it as expected?
  • Command line
    • Does it have the right switches?
  • Start time
    • Was it started at boot or something else?
    • Did the process start close the time of a known incident?
  • Security ID
    • Does the SID make sense? Would a system process run with a user accounts’ SID?
• Analysing process objects
  • DLLs
  • Handles
    • Files and directories
      • Look at occurrance of use. Malware files should, historically, be the least accessed files on the system
    • Registry
    • Events
  • Threads
  • Sockets
• Network artifacts
  • Suspicious ports
    • out-of-the-ordinary ports
    • listening ports (backdoors)
  • Suspicious connections
    • Anything connecting out
    • Known bad-IPs
    • Creation time matching an incident
  • Suspicious processes
    • Should this process have networking capabilities?
• Detecting code injection
  • Look for DLL injection and process hollowing
• Rootkit detection
  • Not a big thing anymore, most AV does a good job at detecting this
  • Hides in
    • System service descriptor tables
    • Interrupt descriptor tables
    • Function import address tables
    • I/O request packets
• Acquiring processes and drivers
  • Submit for reverse engineering or AV analysis
  • Review strings
    • add to bad-words list

Random IOCs

• svchost running from outside of system32
• dllhost runnig as admin
• iexplorer.exe opening other processes, like cmd.exe

Memory forensics with Volatility:

• You can export Volatility switches so you don’t have to set them all the time:
  • export VOLATILITY_PROFILE=Win7SP1x64
  • export VOLATILITY_LOCATION=file://image.img
• imagecopy can be used to convert crash dumps and hibernation files to raw memory
• Started applications for your timeline
  • pslist
  • psscan
  • pstree
• Run dllist to see what DLLs were loaded as part of interesting processes
• Check handles and services
• Run connections, connscan, sockets, sockscan and netscan to see network connections
• malfind to find hidden and injected code
• ldrmodules to find unlinked DLLs
• psxview, driverscan, ssdt, ssdt_ex, apihooks, idt and driverirp to find rootkits

TTP = Tacticts, Techniques and Procedures
Proxy logs - may contain POST requests as well as cached data
If you click a link in an email, no referer header will usually be set
Calamaris - Squid proxy log analysis tool
Tools based on libpcap will always have timestamps in UTC
Always load small packet dumps in wireshark, use tcpdump to reduce the filesize. tcpdump -r FILE_TO_READ_FROM -w FILE_TO_WRITE_TO '_BPF_FILTER_'
Journal Parser (jp) from TZWorks, to parse and show the history of the Windows filesystem on the host. Records every time a file is changed
BPF filter example: 'tcp and (port 80 or port 443 or port 8080) and (not dst host 192.168.12.1)'    - Give me everything TCP on port 80,443 and 8080 that isn't going to 192.168.12.1
hibr2bin - acquire RAM from Windows hibernation files. Can also be done with volatility.