Sunday, January 13, 2008

IR Immediate Actions

As you may remember, in December 2007 I presented at the HTCIA conference in Hong Kong, the first HTCIA conference for this chapter. It was a great conference, and a great opportunity to meet a lot of folks in this field (see the Speaker's page).

While there, I presented on Registry Analysis and Windows Memory Analysis, both of which seemed to be well received. One question came up during discussions of Windows Memory Analysis...during the presentation, I talk about different tools and techniques that are available for extracting the contents of RAM, and also talk about the difference between tools I can use as a private individual and those I can use as a consultant. At one point, someone asked me which tools and techniques I use most often as a consultant...and my response was simply "none of them". The reason for this is that in most all of the responses I've dealt with, the system (or systems) have already been turned off, rebooted, or sufficiently imposed upon by others (AV scans, running multiple tools, etc.) that even if I did, as a consultant, have an option available for collecting the contents of RAM available to me, doing so would be of little benefit to either my analysis, or any information I could provide to the customer.

Part of the issue is that as a consultant, I am extremely limited in the tools I can use to collect the contents of physical memory from a system, not so much due to the availability of a particular tool, but more so due to the license agreement associated with that tool.

However, a bigger issue is that the immediate actions performed by most first responders on-site are to take systems offline, shutdown them down, or "clean" and reboot them prior to any calls for outside assistance being made. While this may be pertinent for business preservation and continuity, it most often has a detrimental impact on any follow-on analysis that may take place.

If there is data leakage due to an intrusion (or this is suspected, or this is just a question that needs to be answered...), then the immediate reaction is (apparently) to shut the system down. This may be pertinent, particularly if there is no incident response plan in place that lets people know what they need to do, and time is required to notify and get approval for follow-on activities (such as calling consultants). This reaction appears to be fairly ingrained, and I'm not suggesting that we change it by saying DO NOT shut systems down. What I am going to suggest is that we modify those immediate actions such that pertinent information is collected from systems before they are shut down.

Wait...what? It looks like what I am saying is, go ahead and shut the systems down, or reboot them, or "clean" them...and I am. This is going to happen anyway. There's nothing I can say or do, either on this blog or as a paid consultant, to change that. In order to change that behavior, there has to be an incident response plan (CSIRP) in place that tells people what to do, and when someone shuts a system off inappropriately or incorrectly, that issue needs to be addressed. The issue is that some kind of overwhelming stimulus needs to be put in place to change this behavior, and until this happens, nothing anyone can say or do is going to change that.'s gonna happen anyway, and instead of changing it, let's go ahead and go with it...but throw something else in there along the way.

What can we do? Well, one thing is to put tools on systems (for a list of tools, check out my book) when they are set up, or at least at some point prior to an incident occurring. If you can't put tools and a simple batch file on systems (for whatever reason...the most common of which seems to be, "...we don't know how..."), then issue each admin/responder a CD with tools, and a thumb drive. Then make it a policy within the organization that a batch file (could be a DOS batch file, or WMI script, etc.) be run and the output saved to a thumb drive, shared drive, etc., prior to the system being taken offline.


Anonymous said...

I am extremely limited . . . due to the license agreement associated with that tool.

I'm a little curious about which tool comes with such restrictive licensing requirements. Your book provides some superb guidance on tools that seem to be freely usable. For a few hundred bucks, you can buy a copy of X-Ways Capture, which you could use in the field. (Vista issues aside, for the moment.) Of course, the balance of your comments may render the point moot :-)

H. Carvey said...

I'm a little curious about which tool comes with such restrictive licensing requirements.

According to the license, consultants cannot use Nigilant32. There are others, as I said in the blog, you have to read the license agreement.

Of course, the balance of your comments may render the point moot

How so?

Anonymous said...

Shutting down the system, rebooting, and the other steps taken to make you response difficult or futile.

Unknown said...

Is pulling the network plug an acceptable response, and then leaving the system running?

H. Carvey said...


Consider what happens when the plug is pulled...when there is no longer any network connectivity, what happens to the output of netstat?

I can think of a great number of cases where network connection info was pertinent, but not available...botnet and intrusion investigations, PCI forensic audits where one of the questions was, "was any data taken?", etc.

I've seen cases where port scanning or brute-force attempts to log into SQL have been noticed, and the plug immediately pulled...but no information (remote IP address, etc.) saved.

Unfortunately, most folks don't sit down and consider their questions *before* an incident occurs...