tag:blogger.com,1999:blog-9518042.post8883497399048826549..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: DFIR Questions, How-Tos...Unknownnoreply@blogger.comBlogger12125tag:blogger.com,1999:blog-9518042.post-86174870477871476502018-04-06T08:54:39.987-05:002018-04-06T08:54:39.987-05:00The older log2timeline has really changed quite a ...The older log2timeline has really changed quite a bit. When I started timelines I was using the SIFT with log2timeline. Now, most of those commands are deprecated and plaso has replaced them. I think writing pertianing to the current log2timeline with plaso would be helpful, Devildog. You have a manner of explaining a topic with a greater clarity when compared to most. Anonymoushttps://www.blogger.com/profile/15892463252714005835noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-7707863358105296572018-03-25T15:36:20.881-05:002018-03-25T15:36:20.881-05:00Here are a few suggestions:
How to pull artifacts...Here are a few suggestions:<br /><br />How to pull artifacts from endpoints (e.g. Kansa, psexec, wmic, osquery, winpmem)<br />How to analyze artifacts from many endpoints (e.g. data stacking, LFO, temporal)<br />How to threat hunt on a budget<br />How to create and use threat intelligence, rather than relying on threat feedsJoehttps://www.blogger.com/profile/13904888328542974985noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42170297116434923692018-03-25T05:25:12.708-05:002018-03-25T05:25:12.708-05:00Owen,
> ...how-tos pertaining to shadow copies...Owen,<br /><br />> ...how-tos pertaining to shadow copies (when to use it? what type of data is available?)<br /><br />I covered VSCs pretty extensively in WFA 4/e.<br /><br />> ...building a timeline (what types of data should be included? how to start analyzing it?) <br /><br />I covered creating timelines in WFA 4/e, and used timelines in IWS (coming out in a couple of months).<br /><br />> ...investigating file-less attacks (beyond the buzz-word - analyze PowerShell, WMI, BITS etc.)<br /><br />Thanks for the input, keep it coming!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42132015325619750212018-03-25T03:59:21.892-05:002018-03-25T03:59:21.892-05:00Hi,
I'm looking forward to your new book.
I w...Hi,<br />I'm looking forward to your new book. <br />I would like to see how-tos pertaining to shadow copies (when to use it? what type of data is available?), building a timeline (what types of data should be included? how to start analyzing it?) and investigating file-less attacks (beyond the buzz-word - analyze PowerShell, WMI, BITS etc.)<br />Thank you Owennoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-85461811626825231622018-03-23T02:09:18.662-05:002018-03-23T02:09:18.662-05:00Follow-up:
Concerning Registry transaction logs,...Follow-up: <br /><br />Concerning Registry transaction logs, aside from synchronization issues between RAM and disk, is there any more to see here? Is this the Registry equivalent/consequence of NTFS “lazy write” or are there potential nefarious uses here? For instance, can I ensure the Registry changes certain configurations “live” but records a different value “dead”? I’m really not sure, just thinking out loud. It may be that there isn’t much to see here and I should just move along.<br /><br />The memory capture and Win10 anti-debugging measures are related. I think this is going to significantly impact collecting RAM, and even how tools go about it may result in some getting a “blank” area/page whereas other tools will get some or all data from these regions. A comparison and discussion of methodology would be enlightening.<br /><br />Concerning reverse engineering undocumented WinAPI stuff, it would be handy to do a walkthrough of how to “figure out” how a specific exported function from a DLL works or determine the structure of some record format. I recently had to figure out the SID structure (beginning with a binary array as input) and don’t know that I would have figured it out had it not been for NirSoft documenting the C structs and having several blog posts from MS to guide me. But had I not had those, I’m not really sure where I would have started. This happens all the time. Connecting these dots is challenging (how do I determine the struct(s) and corresponding functionality? This is still way too broad, I know, but how did you determine various enumerated flags when writing RegRipper? Did you find docs or did you have to reverse engineer any of the structures to determine what bitwise checks meant for various flags? Just some thoughts.Dan O’Dayhttp://4n68r.comnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-19947964954769100722018-03-21T05:48:41.935-05:002018-03-21T05:48:41.935-05:00Dan,
Thanks for commenting, and for sharing your ...Dan,<br /><br />Thanks for commenting, and for sharing your thoughts. Could you help me understand these a bit more?<br /><br />> More on SRUM use cases (detecting cryptomining perhaps?)<br /><br />This is an interesting topic, and definitely something I can see being useful.<br /><br />> understanding implications of dirty bits in Registry and replaying transaction logs<br /><br />I get that the Registry transaction logs are somewhat "new", insofar as being utilized, but can you expand a bit as to what you're looking for? I'm only aware of a very few individuals performing research in this area, and as such, I don't see that it's hard to keep up on it.<br /><br />> new anti-debugging features in Win10 <br /><br />I'm not really clear as to how I'd cover this from a DFIR perspective...<br /><br />> “state of the union” of memory capture tools<br /><br />I'm sure that this has been covered, and it's not really a Windows DFIR topic...<br /><br />> reverse engineering undocumented Windows API data structures....<br /><br />Anything in particular, or just a general question?<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-90544878428959950752018-03-20T19:32:32.230-05:002018-03-20T19:32:32.230-05:00More on SRUM use cases (detecting cryptomining per...More on SRUM use cases (detecting cryptomining perhaps?), understanding implications of dirty bits in Registry and replaying transaction logs, new anti-debugging features in Win10 and “state of the union” of memory capture tools, reverse engineering undocumented Windows API data structures....Dan O’Dayhttp://4n68r.cmnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-81593565425049636642018-03-20T18:20:11.003-05:002018-03-20T18:20:11.003-05:00I had a case a while back, quite complex because a...I had a case a while back, quite complex because a long time went by since the incident until was communicated.<br />A user who was stealing information of multiple systems, through a USB device.<br />Then, in his own system, he saw this information and, finally, he would use CCleaner.<br />The only reference I found about the stealed information was in 'change.log' file.<br />I would have paid whatever it took in order to have a 'How to' for that case.<br /><br />A result of this case has been my obsesion for USB devices. What interaction it has with a System, how does it function, ...<br />I've seen references to the Registry keys in the event logs.<br />I've seen references to the Registry keys in the free disk space.<br />I've seen references to the Registry keys in the '.etl' files.<br />I would know how associate all this data.<br /><br />I've even got a slide show to publish soon about USB devices and all its activity in a System, with several situations<br /><br />I apologize, if I can't well explain It.@_N4rr34n6_https://www.blogger.com/profile/11576504385599944363noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-52131976810311725762018-03-16T05:32:29.624-05:002018-03-16T05:32:29.624-05:00Felipe,
> I would like to see a "How To&q...Felipe,<br /><br />> I would like to see a "How To" on performing DFIR in the cloud. <br /><br />My only experience performing DFIR in the cloud was from when I worked at Terremark, now owned by Verizon. As their 'cloud' was based on VMWare, we could pause individual systems and grab the necessary files (disk image or VMDK file, memory). At that point, it's really no different from traditional disk forensics.<br /><br />There's a very good blog post here that addresses some of the issues in general:<br /><br />https://ponderthebits.com/2017/01/a-response-to-the-cloud-is-evil/<br /><br />Hopefully this helps.<br /><br />> ... should we be deploying EDR in the cloud to aid in post-compromise analysis...<br /><br />Absolutely. However, if you've already got the "traditional Cb+Splunk", then you already have EDR, so you should be performing early incident detection.<br /><br />> ...Or should we leverage built-in tools...<br /><br />Whatever works for you. In a lot of ways, that question is really no different from most of the ones DFIR folks deal with...someone says, "...should I do X or Y...", and we answer, "...well, what do you want to accomplish in the end?"<br /><br />Thanks for the questions, I hope these responses have helped...<br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-23424808758800298292018-03-15T18:36:53.176-05:002018-03-15T18:36:53.176-05:00I would like to see a "How To" on perfor...I would like to see a "How To" on performing DFIR in the cloud. There seems to be lack of specific guidance on performing incident response on AWS and Azure environments. Is it the same as performing IR locally? What are the nuances? How do we deal with EBS volumes instead of locally attached disks? <br />As Bryan mentioned, in the past few years I have moved to EDR from the traditional disk image forensics and have experienced the benefits. Again, should we be deploying EDR in the cloud to aid in post-compromise analysis with the traditional CB+Splunk and Sysmon+ELK tools? Or should we leverage built-in tools such as AWS Cloudwatch and Cloudtrail for completeness of vision? <br /><br />Another topic that intrigues me is forensics with WSL. Do we need Windows skills and tools or Linux? <br />Felipe Chttps://www.blogger.com/profile/00458646198724559467noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-40004286165796642522018-03-15T11:40:58.657-05:002018-03-15T11:40:58.657-05:00EDR is huge...performing DFIR analysis after an in...EDR is huge...performing DFIR analysis after an incident (in many cases, months after...) means that a lot of data required to really state definitively what happened is no longer available. Different artifacts have different lifetimes...processes, for example, exist until the process exits or the system is shut down. Months later, you have neither the command line, nor process memory available. <br /><br />I've been pushing this message pretty consistently through LinkedIn and Twitter.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-7436106637082250632018-03-15T09:28:18.895-05:002018-03-15T09:28:18.895-05:00With over 200 posts in the last 5 years it is pret...With over 200 posts in the last 5 years it is pretty hard to say if anything if directly "missing". What I absolutely love about this blog are the topics that show capabilities and techniques one can use while either on the box itself (or on a clone). Enterprises are moving more into EDR at first response and while using tools made by others is great in a fair number of situations, there are times when you would rather just use native tools like PowerShell.<br /><br />Maybe it's just me but I would love for more endpoint driven EDR posts, living off the land.Bryan Bowiehttps://www.blogger.com/profile/08871271767331659262noreply@blogger.com