Sunday, September 14, 2014

Super Sunday Funday Forensic Challenge - Update 3

Current Contest


Six people are made it to Level 4, and only one has passed it and moved on to Level 5. Level 5 remains unsolved but that may not last long as our leading contender is really flexing his forensicator muscles on this one. For anyone frustrated please know that these challenges are made to be difficult and really push you. With a prize as good as a $5,000 class its hard to ask for anything else!

If you have questions I am planning to be in #dfir on irc.freenode.net on 9/11, 9/12, 9/15 and 9/16. If you have questions get an IRC client and come ask them. I may be on during the evening weekends but no guarantee to do so. Other players are in the channel though and you are welcome to talk amongst your selves.

For those of you not playing, or looking for a break here is some more good information.

Learn Windows Forensics from me!

I'll be co-teaching SANS FOR408 with Rob Lee in Ft. Lauderdale, FL at DFIRCon East Nov 3rd-8th 2014. If you want to spend a week learning everything you can about Windows forensics, and nights going deeper into the artifacts/structures if you want, I can't wait to meet you. As a bonus SANS has put out a $400 coupon for the event, go here to claim it.

Solutions to the past contest

Something I have not posted that I've been promising is the answers to the last 5 stage challenge. Let's continue that now. 

Stage 3 Question:
You have determined the remote IP address of the attacker, identified the process they injected and when they loaded into memory. Please list those sources available on most large networks where you could determine the following:

1. What quantity of data was sent to an ip address
2. The earliest known time traffic was seen to an ip address
3. What other ips are sending traffic to an ip address
4. Who all has queried a DNS address
5. How to impair the attacker's ip address from successfully ex-filtrating dat
Stage 3 Answer from a winner: 
1. What quantity of data was sent to an ip address:
We use Netwitness at my firm to keep metadata from the packet captures that Netwitness does.  I wrote a Python script to key off the group number for a session and build a key: value dictionary off that group number, then put that dictionary into an Excel friendly format with headers for the 40+ fields captured by Netwitness.  That would allow me to filter my Excel sheet from whatever months of Netwitness logs I parsed with my script for the destination IP address then sum the size column.

2. The earliest known time traffic was seen to an ip address
I would like to think I could query that information in the REST API for netwitness. I don’t honestly have an account on our netwitness UI yet.  I ask someone in the SOC to send me logs for whatever timeframe I need at this point, and for whatever servers etc.  If that could not be queried in the REST query from the Netwitness UI, then I would ask for the logs for as many months as I could and filter to the destination IP, then sort by timestamp to find the earliest incident. 

3. What other ips are sending traffic to an ip address:
I could still do this with the Netwitness metadata logs parsed into Excel by my script.  If there were a lot of source IPs sending data to a particular destination IP though I would probably want to break away from Excel and Grep for lines that have the destination IP, then sort uniq for the source IP’s and output them to a text file. 

4. Who all has queried a DNS address
This question would be best handled by proxy logs.  It would be a nightmare to search my entire firm’s proxy logs for users looking up a particular web address, but it could be done.  I watched Phil Hagen’s webcast on Logstash+Kibaba+Elastisearch and that seemed like a really elegant solution for ingesting proxy logs to show visits to addresses. It can be used to filter down for information for the GETS and POSTS, to determine what level of sites a user is visiting, and if there is the same type of activity happening for visits to those sites.

5. How to impair the attacker's ip address from successfully ex-filtrating data 
Firewall rules can be put into place for blocking the IP.  Proxy filters can be set with the IP as blacklisted.  The IPS can be set with a rule against that IP. 

The only answer I needed:
In this question I was looking for a lot. An understanding of what default network sources would be available in a normal network and how to use that data to answer the questions.