Monday, July 8, 2013

Daily Blog #16: Milestones 8 and 9 detailed

Howdy Reader,
                       It's day one of the SANS DFIR Summit here in Austin, Texas. Matthew and I are speaking this morning and I'm hoping the technical crowd here is awake enough at 9am to give us all the questions they have! Today we continue the milestone series which I hope to finish up this week before we move next week to new topics. We will be detailing milestones 9 and 10 which is pretty far along your progression as we near the end of the milestones I've documented so far. If you can think of others please let me know.

Milestone 9 - You master more than one operating system's artifacts.
    This milestone may sound simple and you may think it should have been listed much earlier in the order. I can appreciate this view point as you are thinking knowledge of an artifact equates to mastery which in my opinion it does not. Mastery in the context of this milestone reflects have all of the knowledge mentioned in the prior milestones ingrained in your memory for a second operating systems. You feel at home with your suite, tools, artifacts and native tools in both platforms allowing you to quickly triage a wider range of systems and scenarios.

    Your need to achieve this milestone will depend on your operating environment. If you work in a company that has a standard ecosystem that is strictly enforced this may not come about for quite some time. If however your company starts brining in a second operating system to the environment, or has legacy operating systems in the environment, you will need to work towards this milestone in order to handle the incidents that will arise. In my lab we handle work from a wide variety of companies and individuals as we provide our services to the public. Our need to keep up with multiple operating systems and their artifacts changes as computing trends change and we are always trying to keep up.

    Achieving this milestone is an important mark in your career, allowing you to start seeing similarities between operating systems, their fundamentals, artifacts created, and data stored. Once you begin seeing artifacts as human created software design decisions you can use that view point to find similar artifacts in other operating systems. Understanding at this level also allows you to better predict outcomes and actions recorded for your recreation testing.

Milestone 10 - You understand how file systems store data and can run tests to determine behavior.
    This was an important moment in my career. I was confident in my understanding of artifacts, I could recreate scenarios and I could explain in layman's terms why artifacts were created in the first place. What I could not fully explain until that point was how and why the underlying file system stored and accessed data and metadata. This milestone is not just about file system data structures; you can read Brian Carrier's excellent book to get your mind filled with those. This milestone is about a deeper understanding of what user activities effect the file system in different ways, leaving different files in different states depending on the actions they took.

    A great example of this milestone is the matrix of timestamps that Rob Lee shows in FOR 508 and can be seen below:

    No one individual artifact created the above conditions seen above, rather its the interaction between the operating system, the application and the file system that lead to these resulting states. Since these resting states are static and reproducible they become powerful tools for your analysis in understanding more of what the file system reveals to you regarding a users activities. You can extend this concept to none file system generic activities such as how certain applications create files, and how the file system stores them. A great example of this is Outlook's handling of attachments. When a user opens an attachment within Outlook it will extract the data to a temporary directory (the location will vary on the version of windows/office) and then reset the $STDINFO to the date of the email.

    Understanding how the file system stores this data and the fact that other timestamps exist then let you do two things:
  1. Match the $STDINFO time to the email the attachment came from in case the same attachment name exists in two emails.
  2. Use the $FILENAME time to determine when the attachment was viewed.
    There is more to this and I plan to write up a post in the near future dealing the interactions Outlook has with the file system and the facts it reveals, but this is a good summation of it to illustrate the importance of this milestone. The more you understand how the file system and it's metadata is set and what is normal the faster you can expand your investigation beyond the artifact and develop a broader picture of a users activities!

We will continue the milestone series tomorrow, if you are at the SANS DFIR Summit please come say hi!