Thursday, March 15, 2018

DFIR Questions, How-Tos...

Not long ago, I finished up the content of my latest book, Investigating Windows Systems, and got it all shipped off to the publisher.  The purpose of this book is to go beyond my previous books; rather than listing artifacts and mentioning ways they can be used, I wanted to walk through examinations, using CTF and forensic challenge images that are available online.

A short-coming of this approach is that it leaves a lot of topics not addressed, or perhaps not as fully addressed as they could be.  For example, of the images I used in writing my book, there were no business email compromises, and little in the way of lateral movement, etc.  There was some analysis of user activity, but for the most part, it was limited.

Back in July 2013, I had some time available, and I wrote up about a dozen "How To" blog posts covering various Windows DFIR topics.  What I've thought might be of value to the community is to go back to those "How To" posts, expand and extend them a bit, add coverage for Windows 10, and include them in a book.

My question to the community at large is this...what are some of the topics that should be addressed, beyond those I blogged about almost 5 years ago?

Now, when considering these questions, or opportunities for "How To" chapters, please understand that I may not be able to address all of them.  For example, I've never conducted a business email compromise (BEC) I've pointed out before, even in just over two decades of DFIR consulting, I haven't seen everything, and I don't know everything.  I also do not have access to an AD environment.

Even so, I'd still appreciate your input, because some of the answers and thoughts I can provide may serve as building blocks for larger solutions.

So, again...what are some DFIR analysis topics, specific to Windows systems, that provide good opportunities for "just in time" training via "How To" articles or documents?


Addendum, 20 Mar:
Okay, I was able to pull together some input from other sources, and here's what I've got so far...

How to analyze Windows Event Logs
How to get the most out of RegRipper
How to investigate CD burning
How to perform malware detection
How to detect data exfiltration
File (LNK, DOCX/DOC, PDF) Analysis
How to investigate lateral movement
How to investigate program execution
How to investigate user activity
How to find and interpret true last access time and dates
How to correlate/associate a device with a user (USB, Bluetooth)
How to detect/analyze the use of anti-forensics

This is just the high-level view and not the detailed outline.  However, it does seem pretty extensive.  So...thoughts?  Input?  Comments?  Complaints?  All are welcome...


Bryan Bowie said...

With over 200 posts in the last 5 years it is pretty hard to say if anything if directly "missing". What I absolutely love about this blog are the topics that show capabilities and techniques one can use while either on the box itself (or on a clone). Enterprises are moving more into EDR at first response and while using tools made by others is great in a fair number of situations, there are times when you would rather just use native tools like PowerShell.

Maybe it's just me but I would love for more endpoint driven EDR posts, living off the land.

H. Carvey said...

EDR is huge...performing DFIR analysis after an incident (in many cases, months after...) means that a lot of data required to really state definitively what happened is no longer available. Different artifacts have different lifetimes...processes, for example, exist until the process exits or the system is shut down. Months later, you have neither the command line, nor process memory available.

I've been pushing this message pretty consistently through LinkedIn and Twitter.

Felipe C said...

I would like to see a "How To" on performing DFIR in the cloud. There seems to be lack of specific guidance on performing incident response on AWS and Azure environments. Is it the same as performing IR locally? What are the nuances? How do we deal with EBS volumes instead of locally attached disks?
As Bryan mentioned, in the past few years I have moved to EDR from the traditional disk image forensics and have experienced the benefits. Again, should we be deploying EDR in the cloud to aid in post-compromise analysis with the traditional CB+Splunk and Sysmon+ELK tools? Or should we leverage built-in tools such as AWS Cloudwatch and Cloudtrail for completeness of vision?

Another topic that intrigues me is forensics with WSL. Do we need Windows skills and tools or Linux?

H. Carvey said...


> I would like to see a "How To" on performing DFIR in the cloud.

My only experience performing DFIR in the cloud was from when I worked at Terremark, now owned by Verizon. As their 'cloud' was based on VMWare, we could pause individual systems and grab the necessary files (disk image or VMDK file, memory). At that point, it's really no different from traditional disk forensics.

There's a very good blog post here that addresses some of the issues in general:

Hopefully this helps.

> ... should we be deploying EDR in the cloud to aid in post-compromise analysis...

Absolutely. However, if you've already got the "traditional Cb+Splunk", then you already have EDR, so you should be performing early incident detection.

> ...Or should we leverage built-in tools...

Whatever works for you. In a lot of ways, that question is really no different from most of the ones DFIR folks deal with...someone says, "...should I do X or Y...", and we answer, "...well, what do you want to accomplish in the end?"

Thanks for the questions, I hope these responses have helped...

@_N4rr34n6_ said...

I had a case a while back, quite complex because a long time went by since the incident until was communicated.
A user who was stealing information of multiple systems, through a USB device.
Then, in his own system, he saw this information and, finally, he would use CCleaner.
The only reference I found about the stealed information was in 'change.log' file.
I would have paid whatever it took in order to have a 'How to' for that case.

A result of this case has been my obsesion for USB devices. What interaction it has with a System, how does it function, ...
I've seen references to the Registry keys in the event logs.
I've seen references to the Registry keys in the free disk space.
I've seen references to the Registry keys in the '.etl' files.
I would know how associate all this data.

I've even got a slide show to publish soon about USB devices and all its activity in a System, with several situations

I apologize, if I can't well explain It.

Dan O’Day said...

More on SRUM use cases (detecting cryptomining perhaps?), understanding implications of dirty bits in Registry and replaying transaction logs, new anti-debugging features in Win10 and “state of the union” of memory capture tools, reverse engineering undocumented Windows API data structures....

H. Carvey said...


Thanks for commenting, and for sharing your thoughts. Could you help me understand these a bit more?

> More on SRUM use cases (detecting cryptomining perhaps?)

This is an interesting topic, and definitely something I can see being useful.

> understanding implications of dirty bits in Registry and replaying transaction logs

I get that the Registry transaction logs are somewhat "new", insofar as being utilized, but can you expand a bit as to what you're looking for? I'm only aware of a very few individuals performing research in this area, and as such, I don't see that it's hard to keep up on it.

> new anti-debugging features in Win10

I'm not really clear as to how I'd cover this from a DFIR perspective...

> “state of the union” of memory capture tools

I'm sure that this has been covered, and it's not really a Windows DFIR topic...

> reverse engineering undocumented Windows API data structures....

Anything in particular, or just a general question?


Dan O’Day said...


Concerning Registry transaction logs, aside from synchronization issues between RAM and disk, is there any more to see here? Is this the Registry equivalent/consequence of NTFS “lazy write” or are there potential nefarious uses here? For instance, can I ensure the Registry changes certain configurations “live” but records a different value “dead”? I’m really not sure, just thinking out loud. It may be that there isn’t much to see here and I should just move along.

The memory capture and Win10 anti-debugging measures are related. I think this is going to significantly impact collecting RAM, and even how tools go about it may result in some getting a “blank” area/page whereas other tools will get some or all data from these regions. A comparison and discussion of methodology would be enlightening.

Concerning reverse engineering undocumented WinAPI stuff, it would be handy to do a walkthrough of how to “figure out” how a specific exported function from a DLL works or determine the structure of some record format. I recently had to figure out the SID structure (beginning with a binary array as input) and don’t know that I would have figured it out had it not been for NirSoft documenting the C structs and having several blog posts from MS to guide me. But had I not had those, I’m not really sure where I would have started. This happens all the time. Connecting these dots is challenging (how do I determine the struct(s) and corresponding functionality? This is still way too broad, I know, but how did you determine various enumerated flags when writing RegRipper? Did you find docs or did you have to reverse engineer any of the structures to determine what bitwise checks meant for various flags? Just some thoughts.

Owen said...

I'm looking forward to your new book.
I would like to see how-tos pertaining to shadow copies (when to use it? what type of data is available?), building a timeline (what types of data should be included? how to start analyzing it?) and investigating file-less attacks (beyond the buzz-word - analyze PowerShell, WMI, BITS etc.)
Thank you

H. Carvey said...


> pertaining to shadow copies (when to use it? what type of data is available?)

I covered VSCs pretty extensively in WFA 4/e.

> ...building a timeline (what types of data should be included? how to start analyzing it?)

I covered creating timelines in WFA 4/e, and used timelines in IWS (coming out in a couple of months).

> ...investigating file-less attacks (beyond the buzz-word - analyze PowerShell, WMI, BITS etc.)

Thanks for the input, keep it coming!

Joe said...

Here are a few suggestions:

How to pull artifacts from endpoints (e.g. Kansa, psexec, wmic, osquery, winpmem)
How to analyze artifacts from many endpoints (e.g. data stacking, LFO, temporal)
How to threat hunt on a budget
How to create and use threat intelligence, rather than relying on threat feeds

Unknown said...

The older log2timeline has really changed quite a bit. When I started timelines I was using the SIFT with log2timeline. Now, most of those commands are deprecated and plaso has replaced them. I think writing pertianing to the current log2timeline with plaso would be helpful, Devildog. You have a manner of explaining a topic with a greater clarity when compared to most.