Thursday, March 15, 2018

DFIR Questions, How-Tos...

Not long ago, I finished up the content of my latest book, Investigating Windows Systems, and got it all shipped off to the publisher.  The purpose of this book is to go beyond my previous books; rather than listing artifacts and mentioning ways they can be used, I wanted to walk through examinations, using CTF and forensic challenge images that are available online.

A short-coming of this approach is that it leaves a lot of topics not addressed, or perhaps not as fully addressed as they could be.  For example, of the images I used in writing my book, there were no business email compromises, and little in the way of lateral movement, etc.  There was some analysis of user activity, but for the most part, it was limited.

Back in July 2013, I had some time available, and I wrote up about a dozen "How To" blog posts covering various Windows DFIR topics.  What I've thought might be of value to the community is to go back to those "How To" posts, expand and extend them a bit, add coverage for Windows 10, and include them in a book.

My question to the community at large is this...what are some of the topics that should be addressed, beyond those I blogged about almost 5 years ago?

Now, when considering these questions, or opportunities for "How To" chapters, please understand that I may not be able to address all of them.  For example, I've never conducted a business email compromise (BEC) investigation...as I've pointed out before, even in just over two decades of DFIR consulting, I haven't seen everything, and I don't know everything.  I also do not have access to an AD environment.

Even so, I'd still appreciate your input, because some of the answers and thoughts I can provide may serve as building blocks for larger solutions.

So, again...what are some DFIR analysis topics, specific to Windows systems, that provide good opportunities for "just in time" training via "How To" articles or documents?

Thanks!

Addendum, 20 Mar:
Okay, I was able to pull together some input from other sources, and here's what I've got so far...

How to analyze Windows Event Logs
How to get the most out of RegRipper
How to investigate CD burning
How to perform malware detection
How to detect data exfiltration
File (LNK, DOCX/DOC, PDF) Analysis
How to investigate lateral movement
How to investigate program execution
How to investigate user activity
How to find and interpret true last access time and dates
How to correlate/associate a device with a user (USB, Bluetooth)
How to detect/analyze the use of anti-forensics

This is just the high-level view and not the detailed outline.  However, it does seem pretty extensive.  So...thoughts?  Input?  Comments?  Complaints?  All are welcome...

8 comments:

Bryan Bowie said...

With over 200 posts in the last 5 years it is pretty hard to say if anything if directly "missing". What I absolutely love about this blog are the topics that show capabilities and techniques one can use while either on the box itself (or on a clone). Enterprises are moving more into EDR at first response and while using tools made by others is great in a fair number of situations, there are times when you would rather just use native tools like PowerShell.

Maybe it's just me but I would love for more endpoint driven EDR posts, living off the land.

Harlan Carvey said...

EDR is huge...performing DFIR analysis after an incident (in many cases, months after...) means that a lot of data required to really state definitively what happened is no longer available. Different artifacts have different lifetimes...processes, for example, exist until the process exits or the system is shut down. Months later, you have neither the command line, nor process memory available.

I've been pushing this message pretty consistently through LinkedIn and Twitter.

Felipe C said...

I would like to see a "How To" on performing DFIR in the cloud. There seems to be lack of specific guidance on performing incident response on AWS and Azure environments. Is it the same as performing IR locally? What are the nuances? How do we deal with EBS volumes instead of locally attached disks?
As Bryan mentioned, in the past few years I have moved to EDR from the traditional disk image forensics and have experienced the benefits. Again, should we be deploying EDR in the cloud to aid in post-compromise analysis with the traditional CB+Splunk and Sysmon+ELK tools? Or should we leverage built-in tools such as AWS Cloudwatch and Cloudtrail for completeness of vision?

Another topic that intrigues me is forensics with WSL. Do we need Windows skills and tools or Linux?

Harlan Carvey said...

Felipe,

> I would like to see a "How To" on performing DFIR in the cloud.

My only experience performing DFIR in the cloud was from when I worked at Terremark, now owned by Verizon. As their 'cloud' was based on VMWare, we could pause individual systems and grab the necessary files (disk image or VMDK file, memory). At that point, it's really no different from traditional disk forensics.

There's a very good blog post here that addresses some of the issues in general:

https://ponderthebits.com/2017/01/a-response-to-the-cloud-is-evil/

Hopefully this helps.

> ... should we be deploying EDR in the cloud to aid in post-compromise analysis...

Absolutely. However, if you've already got the "traditional Cb+Splunk", then you already have EDR, so you should be performing early incident detection.

> ...Or should we leverage built-in tools...

Whatever works for you. In a lot of ways, that question is really no different from most of the ones DFIR folks deal with...someone says, "...should I do X or Y...", and we answer, "...well, what do you want to accomplish in the end?"

Thanks for the questions, I hope these responses have helped...

Dan O’Day said...

More on SRUM use cases (detecting cryptomining perhaps?), understanding implications of dirty bits in Registry and replaying transaction logs, new anti-debugging features in Win10 and “state of the union” of memory capture tools, reverse engineering undocumented Windows API data structures....

Harlan Carvey said...

Dan,

Thanks for commenting, and for sharing your thoughts. Could you help me understand these a bit more?

> More on SRUM use cases (detecting cryptomining perhaps?)

This is an interesting topic, and definitely something I can see being useful.

> understanding implications of dirty bits in Registry and replaying transaction logs

I get that the Registry transaction logs are somewhat "new", insofar as being utilized, but can you expand a bit as to what you're looking for? I'm only aware of a very few individuals performing research in this area, and as such, I don't see that it's hard to keep up on it.

> new anti-debugging features in Win10

I'm not really clear as to how I'd cover this from a DFIR perspective...

> “state of the union” of memory capture tools

I'm sure that this has been covered, and it's not really a Windows DFIR topic...

> reverse engineering undocumented Windows API data structures....

Anything in particular, or just a general question?

Thanks.

Owen said...

Hi,
I'm looking forward to your new book.
I would like to see how-tos pertaining to shadow copies (when to use it? what type of data is available?), building a timeline (what types of data should be included? how to start analyzing it?) and investigating file-less attacks (beyond the buzz-word - analyze PowerShell, WMI, BITS etc.)
Thank you

Harlan Carvey said...

Owen,

> ...how-tos pertaining to shadow copies (when to use it? what type of data is available?)

I covered VSCs pretty extensively in WFA 4/e.

> ...building a timeline (what types of data should be included? how to start analyzing it?)

I covered creating timelines in WFA 4/e, and used timelines in IWS (coming out in a couple of months).

> ...investigating file-less attacks (beyond the buzz-word - analyze PowerShell, WMI, BITS etc.)

Thanks for the input, keep it coming!