@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #16: Milestones 8 and 9 detailed

Howdy Reader,
                       It's day one of the SANS DFIR Summit here in Austin, Texas. Matthew and I are speaking this morning and I'm hoping the technical crowd here is awake enough at 9am to give us all the questions they have! Today we continue the milestone series which I hope to finish up this week before we move next week to new topics. We will be detailing milestones 9 and 10 which is pretty far along your progression as we near the end of the milestones I've documented so far. If you can think of others please let me know.

Milestone 9 - You master more than one operating system's artifacts.
    This milestone may sound simple and you may think it should have been listed much earlier in the order. I can appreciate this view point as you are thinking knowledge of an artifact equates to mastery which in my opinion it does not. Mastery in the context of this milestone reflects have all of the knowledge mentioned in the prior milestones ingrained in your memory for a second operating systems. You feel at home with your suite, tools, artifacts and native tools in both platforms allowing you to quickly triage a wider range of systems and scenarios.

    Your need to achieve this milestone will depend on your operating environment. If you work in a company that has a standard ecosystem that is strictly enforced this may not come about for quite some time. If however your company starts brining in a second operating system to the environment, or has legacy operating systems in the environment, you will need to work towards this milestone in order to handle the incidents that will arise. In my lab we handle work from a wide variety of companies and individuals as we provide our services to the public. Our need to keep up with multiple operating systems and their artifacts changes as computing trends change and we are always trying to keep up.

    Achieving this milestone is an important mark in your career, allowing you to start seeing similarities between operating systems, their fundamentals, artifacts created, and data stored. Once you begin seeing artifacts as human created software design decisions you can use that view point to find similar artifacts in other operating systems. Understanding at this level also allows you to better predict outcomes and actions recorded for your recreation testing.

Milestone 10 - You understand how file systems store data and can run tests to determine behavior.
    This was an important moment in my career. I was confident in my understanding of artifacts, I could recreate scenarios and I could explain in layman's terms why artifacts were created in the first place. What I could not fully explain until that point was how and why the underlying file system stored and accessed data and metadata. This milestone is not just about file system data structures; you can read Brian Carrier's excellent book to get your mind filled with those. This milestone is about a deeper understanding of what user activities effect the file system in different ways, leaving different files in different states depending on the actions they took.

    A great example of this milestone is the matrix of timestamps that Rob Lee shows in FOR 508 and can be seen below:

    No one individual artifact created the above conditions seen above, rather its the interaction between the operating system, the application and the file system that lead to these resulting states. Since these resting states are static and reproducible they become powerful tools for your analysis in understanding more of what the file system reveals to you regarding a users activities. You can extend this concept to none file system generic activities such as how certain applications create files, and how the file system stores them. A great example of this is Outlook's handling of attachments. When a user opens an attachment within Outlook it will extract the data to a temporary directory (the location will vary on the version of windows/office) and then reset the $STDINFO to the date of the email.

    Understanding how the file system stores this data and the fact that other timestamps exist then let you do two things:
  1. Match the $STDINFO time to the email the attachment came from in case the same attachment name exists in two emails.
  2. Use the $FILENAME time to determine when the attachment was viewed.
    There is more to this and I plan to write up a post in the near future dealing the interactions Outlook has with the file system and the facts it reveals, but this is a good summation of it to illustrate the importance of this milestone. The more you understand how the file system and it's metadata is set and what is normal the faster you can expand your investigation beyond the artifact and develop a broader picture of a users activities!

We will continue the milestone series tomorrow, if you are at the SANS DFIR Summit please come say hi!

Post a Comment


Author Name

Contact Form


Email *

Message *

Powered by Blogger.