Daily Blog #343: Sunday Funday 6/1/14 - Truecrypt Challenge

Truecrypt Challenge by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
     We have now officially entered the last month of my year of blogging, let's make sure we end it well. It's Sunday and that means it's time for another challenge you can spend your day on but let's change the rules a bit to give you a bit more time to do so while still allowing me to declare a winner, and write a blog post about it, on Monday. If you watched the Forensic Lunch on Friday you heard Lee Whitfield talk about the current Trucrypt conspiracy. Let's test your malware analysis skills in this weeks challenge.

The Prize(s):
A guest post on the blog to raise your visibility
A $250 Amazon Gift Certificate, emailed to you anywhere in the world
A $250 Newegg Gift Certificate, emailed to you anywhere in the world

The Rules:
  1. You must post your answer before Monday 6/2/14 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Download the latest release of Truecrypt here: http://sourceforge.net/projects/truecrypt/files/TrueCrypt/TrueCrypt-7.2.exe/download and perform an analysis of the binaries to determine what besides decrypting files it is doing.

Also Read: Daily Blog #342

Daily Blog #342 Saturday Reading 5/31/14

Saturday Reading by David Cowen - Hacking Exposed Computer Forensics Blog
Hello Reader,
       It's Saturday! Another week of forensics has passed us by and its time reflect on facts hard fought and mysteries left to solve. It's time for more links to make you think in this weeks Saturday Reading.

1. We had a fun Forensic Lunch this week with:
  • Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware at the SANS DFIR Summit. Here are the slides from her presentation at Bsides NOLA https://googledrive.com/host/0B_qgg13Ykpypekw4d2hwLVJmeDg/REMacMalware.pdf
  • Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened
You can watch it here: https://www.youtube.com/watch?v=4ZWP9ZZ71bk

2. Over on the Apple Examiner blog here is a new writeup on making a portable OSX triage workstation, if you are a OSX user its a good read http://www.appleexaminer.com/MacsAndOS/Analysis/HowTo/PFW/PFW.html

3. The volatility blog has been updated with a large set of information, including updates on their book and the announcement of their yearly plugin contest. Get involved and win a prize! http://volatility-labs.blogspot.com/2014/05/volatility-update-all-things.html

4. On the Digital Forensic Tips blog there is a writeup on how to deal with Trucrypt in your investigations, its a good summary and worth a read http://digitalforensicstips.com/2014/05/some-basic-options-when-dealing-with-truecrypt-aka-finally-a-forensics-post/

5. On the hexacorn blog Adam has a write up about a new malware variant that is targeting Windows Sidebar gadgets, http://www.hexacorn.com/blog/2014/05/24/upatres-gadgetry/

6. Brian Moran has a new blog up in his series on artifacts of Bluetooth data exfil, read part 4 here http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_29.html

7. The papers presented at DFWRS EU 2014 are up and I'm looking forward to reading new research, http://dfrws.org/2014eu/program.shtml, you might seem some blog posts pop up on the most interesting to me

8. Glen Edwards, Jr and Ian Ahl of fireye put up their slides from Bsides NOLA called 'Mo' Memory No Problems' https://speakerdeck.com/hiddenillusion/mo-memory-no-problem

9. The Open Security Research blog has been updated with a how to guide to remote memory acquisition in Linux, very cool http://blog.opensecurityresearch.com/2014/05/acquiring-linux-memory-from-server-far.html

10. J Michel has posted a step by step walk through of a journey into chip off, something I'm very interested in http://blog.j-michel.org/post/86992432269/from-nand-chip-to-files

Also Read: Daily Blog #341

Daily Blog #341: Forensic Lunch 5/30/14 - Discussion with Sarah Edwards and Lee Whitefield on Mac/OSX Malware and More

Discussion with Sarah Edwards and Lee Whitefield on Mac/OSX Malware and More


Hello Reader,
            We had a great forensic lunch today with some good conversation and great viewer participation. Our guests this week were:

Sarah Edwards, @iamevltwin, talking about her presentation on Mac/OSX malware.
Lee Whitefield, @lee_whitfield, talking about the current Trucrypt conspiracy theories and what may have happened

For those listening here are our conference recommendations:
Large conference: CEIC
Mid size but vendor sponsored: PFIC
Mid size but independent : HTCIA
Small and very technical: SANS DFIR Summit and OSDFCon

You can watch the show below:


Daily Blog #340: The leap from beta to final, Triforce updates

The leap from beta to final, Triforce updates

Hello Reader,
          If you are still running a Triforce beta, I would highly suggest you move over to the production version. We've fixed a lot of bugs and added lots of features. It's your choice free or paid, of course think the paid version is well worth the money! Curious as to what all is waiting for you? Here is an update:

You can grab a copy of the free or paid version at:
LINK N/A

Report Filtering (Please read user manual for more information)

Exporting and importing filters

The leap from beta to final, Triforce updates

Unexpected crashes using filtering options
Added filtering logic

The leap from beta to final, Triforce updates

Additional Unicode Support

Filter with Unicode Strings

The leap from beta to final, Triforce updates

Export to Unicode File Name

The leap from beta to final, Triforce updates


Signatures

Signature Corrections
User can create a file list to search the MFT (Paid Version Only)

The leap from beta to final, Triforce updates

GUI

Various GUI bugs
Report Record Count in Report View

The leap from beta to final, Triforce updates

Also to those users who've moved over the paid version we have our first signature update going out to you tonight!

Also Read: Daily Blog #339

Daily Blog #339: A short product recommendation

Transend Forensic Migrator and FTK recommendation


Hello Reader,
     If you are like me then searching, de-duplicating and producing email for review is one of the banes of your existence. You would think that such fundamental task would have been solved in the mainline tools we use but all of their limitations turn the process of producing email into a bit of a nightmare. I've used a series of tools in the past to accomplish this with varied success:

Transend Forensic Migrator (which is good for all sorts of things)
FTK (which in recent versions has become less reliable in exporting and processing email, much less deduplicating)
Paraben Email Examiner

None of which made the process as easy or simple as Sherpa Soft's Discovery Attender did for me today. Now I've heard from many friends over the years that I should get a copy of this software as many people where doing in house basic ediscovery with it, but I didn't try it out. I finally broke down and got a copy and let me tell you, its what it claims to be.

I was able to search 34 archives of email, it supports ost and psts, search emails and attachments, deduplicate and produce to PST all within a couple hours. I'll wait to see what pitfalls lie in wait for me but for now, very happy with this product and can recommend it as a solution for others trying to solve this problem.

Grab a copy here, http://www.sherpasoftware.com/microsoft-exchange-products/discovery-attender.shtml , for those that are wondering I didn't get as much as a discount for this post. I paid full price and tested it prior to even thinking about writing. Right now I'm downloading a fresh Windows 7 vm and Kali Linux so I can write up the credential stealing series.

Also Read: Daily Blog #338

Daily Blog #338: Triforce ANJP Free Edition

Triforce ANJP Free Edition by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
    I think its important to keep promises whenever you can. If you remember when we first started talking about the Triforce products we stated we always wanted to keep a free version available. Today we announce that free version to all of you. While in a perfect world you would get a license of our awesome commercial product, we don't want to withhold good evidence from anyone. The free version of Triforce ANJP will fully parse out the $MFT, $Logfile and USNJrnl to text and sqlite databases just like the commercial version. The only difference comes in its ability to use signatures, both provided by us and ones you create yourself, and advanced reporting.

You can download your own free for life copy here:  

LINK N/A

We are here to support you in your investigations and make sure you always have the best evidence we can help you get. You will see that the license states not for commercial use, which we think is fair for those of you using our tools to generate a profit from your services.

Moving forward we will strive to make the core of the parser the same as the commercial version so the free version will stay up to date and hopefully bug free.

Also Read: Daily Blog #337

Daily Blog #337: Sunday Funday Winner 5/25/14

Sunday Funday Winner by David Cowen - Hacking Exposed Computer Forensics Blog


A solemn memorial day reader,
     I guess you are all enjoying the three day weekend as I received no entries to this weeks contest. So I will donate this license to the first armed forces veteran who emails me with proof of service, your choice which proof, today. Email it to dcowen@g-cpartners.com.

After I finish the current series I'm working on, what credentials can attackers steal via what remote access methods, I will write a series on the USN and $logfile artifacts.

Daily Blog #336: Sunday Funday 5/25/14 - $logfile and $USNJrnl Challenge

$logfile and $USNJrnl Challenge by David Cowen - Hacking Exposed Computer Forensics Blog


Hello Reader,
      It's Sunday and time for another forensic challenge to see what you know and to share what you know with the community. With the official launch of our first product, Triforce ANJP, it's time to see how well you understand the research and artifacts we've been discussing for the last two years!

The Prize:

A license of Triforce ANJP, a $599 value

The Rules:
  1. You must post your answer before Monday 5/26/14 10AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

List all of the facts and a description of them you can determine from the $logfile and $USNJrnl that you cannot from any other artifact. 

Also Read: Daily Blog #335

Daily Blog #335: Saturday Reading 5/24/14 - TriForce, CEIC, and More

Saturday Reading by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
       It's Saturday and after a long two weeks in Las Vegas it was back to the lab with expert reports and declarations waiting for me to write. If you are like me and recovering your work load its time to keep up with the latest research to see how you can keep ahead of whats coming next. Time for more links to make you think in this weeks Saturday Reading.

0. We launched the Triforce ANJP! Go check it out and buy a copy at LINK N/A 

1. The Forensic Lunch this week was live from CEIC, with a total of three shows! You can watch them here:

Day 1: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-331-forensic-lunch-live-from.html
Day 2: http://hackingexposedcomputerforensicsblog.blogspot.com/2014/05/daily-blog-332-forensic-lunch-live-from.html

2. Brian Moran has been very, very busy this week. Not only sending in a guest post to my blog but posting 4 blog posts of his own.

The first is a write up all about advanced analysis of the ZeroAccess rootkit and updates to his Windows response toolkit, http://brimorlabs.blogspot.com/2014/05/zeroaccess-windows-command-line-code.html

The next post is a three part series about data exfiltration using BlueTooth and the analysis to detect it
Part 1: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say.html
Part 2: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_22.html
Part 3: http://brimorlabs.blogspot.com/2014/05/bluetooth-for-data-exfiltration-say_23.html

3. Sharon Nelson has a new blog post up covering a case involving a network engineer who decided to take down his old employer on the way out, http://ridethelightning.senseient.com/2014/05/network-engineer-sentenced-to-four-years-for-destroying-company-data.html. Read this to keep your office space dreams at bay.

4. Harlan has a new post up all about self publishing your next book. If you are considering writing a book please read Harlan's blog and carefully and understand the level of effort involved. Once you've done so carefully consider your next steps and what route to market you want to take:
http://windowsir.blogspot.com/2014/05/book-writing-to-self-publish-or-not.html

5. Adam from Hexacorn is back with part 12 of the beyond the run key series, this week with a focus on Rover autostart mechanism http://www.hexacorn.com/blog/2014/05/21/beyond-good-ol-run-key-part-12/

6. Ryan over at Obsidian Forensics has a new blog up talking about the process of porting his previously perl tool Hindsight to python http://www.obsidianforensics.com/blog/python-version-of-hindsight-released/

7. Version 5 of REMnux has been released, a handy reverse engineering distribution gets better http://blog.zeltser.com/post/86508269224/remnux-v5-release-for-malware-analysts

8. A new release candidate for Plaso is out, Kristinn and team are asking that everyone test and report any bugs they find get a copy here:

https://googledrive.com/host/0B30H7z4S52FleW5vUHBnblJfcjg/1.1.0/RC1

Also Read: Daily Blog #334

Daily Blog #334: More on Encrypted iPhone backups

More on Encrypted iPhone backups by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
       Today we have a guest post from Brian Moran. Brian saw our Sunday Funday challenge based on Hal's recent testing for the SANS OSX Forensics class and generously followed up with some knowledge of his own! Check this out, very cool stuff.

I am sure you guys already know this, but there is something I wanted to add to your Sunday Funday challenge about encrypted iOS backups and the absolute joy that I personally find every time that I come across a system with encypted backups :) 


When iOS encrypts the data in the keychain, which stores passwords for the system and applications, it uses a unique key to that iOS device (if memory serves, the length of that key is 64bits, and the password is AES256 encrypted using that key. I might be wrong on the key length and encryption mechanism, but I believe that is correct). 


iPhone Keychain Backups
In iOS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application. When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup. For this reason, it is important to use the keychain on iPhone to store passwords and other data (such as cookies) that can be used to log into secure web sites.



However, when a user choose to encrypt their backups, the data in the keychain in the iOS backup is no longer encrypted with that key, it is instead encrypted with the user's iOS backup password. So, by utilizing a tool like elcomsoft's Phone Password Breaker (shoutout to Vladimir Katalov) you can load the encrypted iOS backups into the EPPB tool and attempt to break the password for the backups. Once you (hopefully) recover this password, on top of getting ALL the data from the backups, you now also have passwords saved in the keychain for things like email, wifi connections, applications passwords, etc.



I believe the intent of this was to allow a more seamless integration into restoring your iOS device from an encrypted backup (I honestly have no idea why you would take a potentially strong(er) password (device specific) and change it to a potentially weak(er) (user supplied) password, but hey, that is what makes Apple devices so fun to forensicate!) So just be sure that if you choose to encrypt your iOS backups that you use really strong passwords, otherwise, the potential is there to get even MORE data from an encrypted iOS backup than a non-encrypted iOS backup :)

Also Read: Daily Blog #333

Daily Blog #333: Announcing the official launch of Triforce ANJP!

Announcing the official launch of Triforce ANJP!


Hello Reader,
       Thanks to everyone who came out to our launch party at CEIC last night, I had a great time meeting all of you and I hope you had a great time as well. I am very happy to announce that the beta for Triforce ANJP (Advanced NTFS Journal Parser) is over and we are officially making it available for sale.

Go to the Triforce website here:
LINK N/A 

With the arrival of the official commercial version I'm happy to say we've also released:
  • An official Users Manual 
  • Youtube videos explaining the main functions and features of the tool
  • Youtube videos explaining how to use the tool
  • Official support via email and phone
  • All located here: LINK N/A
 We offered a discount code for $100 off the list price of $599 at the conference but I thought I shouldn't limit that offer to just those who could make it to CEIC. So I thought other than our beta users (who received an ever better discount code) you our regular blog readers also deserved a discount. So for the next 7 days you can use discount code TFBLOG499 and get the Triforce for just $499! To our beta users please know that we will have to turn off the beta discount at some point and I'll be emailing you when we determine what that time frame is.

That $499 gets you a perpetual license that you can activate on two systems of your choice and a year of free signature updates. After the 1st year we will charge $199 a year for signature updates and new versions. We have a lot of features planned to be added over the year as we turn the Triforce into what we imagine it can be and when they do get added the price will likely go up. New features coming in the next few months:

  • New signatures monthly
  • Forensic image access, no more exporting artifacts
  • Better reporting
  • More database support, extending beyond sqlite to mysql, postgres and more
  • Full MFT rule support
  • Auto license activation
So if you've enjoyed this year of blogging, the forensic lunch, our projects (like the multi boot thumbdrive), research and tools please consider supporting us with a purchase of a Triforce license. I think you'll be happy you did when you see what it can do for your investigations!

Also Read: Daily Blog #332

Daily Blog #332: Forensic Lunch live from CEIC day 2 with Austin Colby, Steve Whalen, and Sheryl Falk

Forensic Lunch live from CEIC day 2! by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
       We got to do another broadcast live from CEIC and its been really fun to do. Being able to walk around and just grab people and bring them on the air to you has been great and hopefully good for you as well! The goal in all of these live broadcasts is to bring some of the most interesting things going on here to you at home.

Today we had:
  • Austin Colby from Black Bag talking about whats new with Blacklight, Macqusition and much more. You can find out more at https://www.blackbagtech.com
  • Steve Whalen, @sumurillc, talking about whats new at Sumuri including Paladin, Recon and others. Steve also talked about his new project Mission: No More Victims https://www.indiegogo.com/projects/mission-no-more-victims-help-us-stop-child-pornography
  • Sheryl Falk, @sherylfalk, talking about her talk at CEIC all about Data Breaches
  • Matthew and I talking all about the official release of the Triforce! You can go here and find out all about it and buy your own license at LINK N/A


Daily Blog #331: Forensic Lunch Live From CEIC Day 1!

Forensic Lunch Live From CEIC Day 1! by David Cowen - Hacking Exposed Computer Forensics Blog


Hello Reader,
       I'm have a lot of fun at CEIC and today we got to do two broadcasts from the conference.

Mid day broadcast:
We had in order of appearance:

  • Suzanne Widup, @suzannewidup, talking about her talk at CEIC on the DBIR and her new book 
  • Ken Mizota, @kenm_encase, the product manager for Encase investigation products talking about whats new v7 and the upcoming v8 
  • David Dym, @dave873, talking about his talk on SQLite forensics



End of day wrap up:
We had in order of appearance:

  • Jake Williams, @malwarejake talking  about the conference, his classes and his talks at CEIC
  • Jad Saliba, @jadatmagnet, talking about whats new in IEF, upcoming training classes and certifications!
  • Sarah Edwards, @iamevltwin, talking about her talks at CEIC and her research into OSX



Also Read: Daily Blog #330

Daily Blog #330: Sunday Funday 5/18/14 Winner!

Sunday Funday by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
   Another Sunday Funday come and gone and I am now only 35 blog posts away from my year! This week I am happy to reveal our winning answer as I believe the answer really presents the itself in a well organized fashion that will help many people get a handle on the killchain as it is.

The Challenge:
Explain the 'Kill Chain' we specific DFIR examples of artifacts you would look for and remediation steps for each part of the process.

The Winning Answer:

The cyber kill chain was first coined by Lockheed Martin’s Eric Hutchins, Michael Cloppert, and Rohan Amin in 2011. Their paper, “Intelligence-Drive Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” has a wonderfully long title, and is an informative look into cyber threats. More information on this paper can be found in the ‘Further Information’ section, located at the bottom of this submission.
 
When examining where digital forensics and the cyber kill chain intersect, it’s important to understand each step of the kill chain and the forensic artifacts that may be applicable. Let’s take a walk through the kill chain, some relevant DFIR artifacts, and potential remediation/prevention steps:
 
1)    Reconnaissance
a.    Step Overview
The first step of the cyber kill chain highlights the research that an adversary may perform either to identify a potential target, or on a specific, pre-selected target. In either matter, reconnaissance may involve profiling an organization’s web presence, searching for employees and pertinent details, and/or gaining insight into other technologies an organization may use.
b.    DFIR Artifacts
·         Network logs would be artifacts of interest here, including firewall and web logs. Other outward-facing (aka DMZ) device logs would be useful as well. Data analytics can assist analysts in identifying suspicious traffic, such as scanning activity or connections from questionable locations. Correlations over time can help determine what is the “hum of the Internet” vs what may be repeated attempts to profile a network.
·         The identification of reconnaissance is also going to depend on the attacker’s objectives or capabilities. If employees are too open about their personal details on LinkedIn/Facebook/Twitter/FourSquare, an adversary may be able to profile an entire C-Suite without ever pinging an organization’s IP block.
c.    Remediation/Prevention Steps
·         Firewall ACLs can be utilized to block traffic from unwanted locations, or reaching sensitive areas.
·         To address reconnaissance using social networking sites, employee training can go a long way to help preventing too much information being released.
 
2)    Weaponize
a.    Step Overview
The second step of the cyber kill chain is an action of the attacker to take a payload, such as a Trojan or backdoor, and craft it into “weapon form”. By weapon form, the attacker needs a method with which to deliver the payload. These methods may include malicious document files, such as PDFs or MS Office documents, or malicious web sites set to execute code upon page loads.
b.    DFIR Artifacts
·   Artifacts of interest from step 2 would be the weaponized payloads that may be left on a compromised host. Artifacts of this type may include malicious PDFs, Office documents, compressed files, or actual executables delivered via step 3’s mechanism. Granted, Step 3 will be required to get these artifacts on the machine, but once on there, may provide a wealth of information. These artifacts will be utilized in subsequent steps as well.
c.    Remediation/Prevention Steps
·   As step 2 covers the weaponizing of a payload, remediation would be best efforts to prevent the execution of said weapon. This is more in line with step 4.
·   In an effort to catch weaponized malware, NIDS or NIPS tools may be used.

3)    Deliver
a.    Step Overview: While step 2 focused on the weaponization of a payload, step 3 is the actual delivery of said weapon. Methods of delivery may include an email with an attachment from step 2, a maliciously crafted website, or a strategically placed USB drive.
b.    DFIR Artifacts
·         The artifacts an analyst might be interested in from Step 3 will be dependent on the method of delivery. For a spear phishing email, analysts will want to analyze the email messages, including headers, attachments, source, etc. For malicious websites, collecting internet history artifacts, including cached HTML files, scripts, cookies, etc. will be important. If the delivery mechanism is something physical, such as a USB drive with AutoRun malware, then forensically preserving the drive becomes an artifact itself.
c.    Remediation/Prevention Steps
·         Employee training is a valuable step in preventing delivery of malware. While this is a pipe dream for some organizations, educating employees to be cautious of emails containing suspicious attachments or originating from unknown sources. Users should also be cautious when browsing the web, although sometimes even mainstream sites can be hit with vulnerabilities
·         Depending on the delivery vector, there are a multitude of technologies that can help. Endpoint USB protection can help prevent executables from running, and/or disabling Windows features such as AutoRun.
·         Email traffic monitoring, either via inline malware detection or endpoint detection, may help to find malicious files within emails. Also, these tools may be used to
·         Utilizing web proxies may help prevent users from visiting malicious sites. Proxies that ingest data sources like trusted sites and blacklisted IPs are a step closer to prevention.
4)    Exploit
a.    Step Overview: Steps 2 and 3 weaponized and delivered malicious code: Step 4 is the exploitation that allows the malicious code to run. If the delivery mechanism was a PDF, the exploitation may be a vulnerability that allows for JavaScript files to be run and subsequently download a Trojan.
b.    DFIR Artifacts
·         Artifacts of forensic interest for step 4 are going to be similar to step 2 and 3, and will involve the actual weaponized payload itself. Whether it’s a Java, Windows, Internet Explorer, Office, or Adobe exploit (to name some amongst many, many others), performing analysis on the malware may help determine information about the specific exploit(s) used.
·         Step 4 is also where an analyst may want to begin looking at system artifacts. While step 4 does not yet cover a full installation of the malware, system artifacts may yield information such as time of infection or steps that the user took to get infected (unknowingly, we hope). A timeline using a wide range of Windows artifacts (MFT, registry, internet histories, etc.) would be able to identify the time when the email arrived or USB drive was plugged in, and actions that occurred within the seconds (or milliseconds) afterwards.
·         Specific browser artifacts, including pages visited and/or downloads, may also yield information about the exploit.
·         The Windows registry hives (system, sam, software, security, ntuser, and usrclass files) may also provide unique information, such as data on removable drives, recent executables/files.
·         Link (lnk) and prefetch files may provide more information about executables around the time of exploit.
·         A forensic analyst may also, at this point, find themselves accessing logs on various servers – again, dependent on the method of delivery. Web-based exploits would have valuable information in web logs, proxy logs, and/or firewall logs. If the delivery method was email, the analyst may want to pull email information from the central mail server(s) to trace the source of the delivery.
c.    Remediation/Prevention Steps
·         A myriad of steps can help prevent against weapons successfully exploiting on a target host. Keeping software up to date, for example, is important given the number of vulnerabilities that exist in third-party software tools or document…readers.
·         Utilizing host-based intrusion detection and prevention tools, such as HIDS, HIPS, and/or anti-virus can help to protect against exploitation. These tools will also help remediate Step 5, which is the installation of the malware. Note that keeping these endpoint solutions up to date is also extremely important – anti-virus is only as useful as the signatures it knows!
5)    Install
a.    Step Overview: Step 5 focuses on the installation of the weapon from Step 2 via the exploit in Step 4.
b.    DFIR Artifacts
·         Now that the weaponized payload has been installed on the host, the file(s) discussed in steps 2-4 will now certainly be of importance. The analyst should try to capture any remnants of the malware, including executables and other dropped files. Sandboxing or reversing the malware can help analysts determine other artifacts to look for, as well as begin crafting countermeasures for Step 6.
·         More so than step 4, system- and disk-level artifacts are going to be valuable at this point in time.
o   The MFT can help paint when the malware was installed, and other artifacts that may have been Modified/Accessed/Changed/Born. The USN journal will also yield information about changes made to the volume.
o   Windows Event Logs may provide information about the install, and any Windows events that may have been triggered.
o   The components of the Windows registry are going to provide information about application install, keys created/changed/deleted, and persistence mechanisms. UserAssist, ShimCache, and MRU may also be valuable here, although not all will be affected by every malware.
o   Similar to Step 4, link and prefetch files may yield information about the executable(s) run to support the installation.
o   File (file://) entries in the index.dat will also provide local and remote file access.
·         A memory capture of an infected host may yield more information about the malware. Of course, it’s difficult to trigger a memory capture as soon as malware is installed on a host, however there is valuable data in the memory of an infected host.
c.    Remediation/Prevention Steps
·         By this point in time, the malware has successfully been executed on a host and has successfully “passed through” the intended exploit. HIDS/HIPS may be useful in prevention/detection, allowing the malware to get as far as attempting to install on the disk or make registry changes before it’s blocked.
·         If the malware is known, anti-virus software may succeed in stopping the infection at this point. It’s also possible that the malware went undetected up to this point, but a dropped executable or DLL file triggered a Quarantine.
·         Application whitelisting may also be useful at this level, preventing untrusted executables from running.
6)    Command and Control (C2)
a.    Step Overview: Perhaps the sign that many DFIR analysts are familiar with, Step 6 focuses on the beaconing of a compromised host to a C2 server. Once Steps 1-5 have been executed, the host is now likely compromised, and relays back to its C2 infrastructure for next steps.
b.    DFIR Artifacts
·         Artifacts from Step 5 are still going to be useful in this stage, especially if a host is actively beaconing the source of that beaconing has yet to be identified. Finding what is causing the beaconing should be a top priority.
·         If identified, the source of the beaconing should be captured and analyzed. Malware may have multiple C2 servers embedded and MD5 hash values may allude to other intel.
c.    Remediation/Prevention Steps
·         As with other steps, NIDS/NIPS solutions installed in an environment may be able to alert and detect or prevent against suspicious traffic. Other steps in the kill chain may have been successful thus far, however NIDS/NIPS may prevent C2 communications from reaching outbound.
·         If intel is gathered about C2 domains/IPs, firewall ACLs can be put into place to prevent outbound or inbound communication.
7)    Act on Objectives
a.    Step Overview
The final step of the cyber kill chain identifies that once an attacker has gained a foothold into an organization, their true objectives come to light. If an attacker compromised the laptop of a CFO, and the original target was next quarter’s financials, then this step represents the exfiltration of said data. Another type of objective may have been to infiltrate an entry point, and then move laterally throughout a network.
b.    DFIR Artifacts
·         Step 7 is not a fun place to be in the cyber kill chain, however from a forensic analyst’s point of view, it is sometimes the most fruitful. It may also be the most common. A large majority of artifacts discussed in previous steps can be useful at this step. Of course, understanding the motives of the attackers will denote how useful each one will be.
·         If the attacker was hoping to compromise an initial host and move throughout an environment, lateral movement artifacts will be useful at this step. This may include:
o   Remote Desktop Protocol (RDP) history
o   Windows Event Logs to identify failed/successful logins, logon types (remote, local, etc.), and other events
o   Windows Registry Hives to check for new Windows user accounts, user activity. Shellbags may also highlight lateral movement.
·         If the attacker was seeking to exfiltrate data, then a forensic analyst will want to look for evidence of files being removed from the system, or creation of new compressed files.
o   Newly-created, and oddly named compressed files such as RARs or ZIPs may differ from user behavior and resemble attacker exfiltration.
o   MFT entries may show new compressed files created
o   Prefetch and/or LNK files may show compression tools being utilized
·         An analyst will also want to again consult network logs available to detect outbound information. Network device logs may allude to exfiltration IPs/hosts, or even provide bytes out to determine how much data left the environment.
c.    Remediation/Prevention Steps
·         Again, remediation/prevention is going to depend on the attacker’s objectives. An unprotected system in a poorly-maintained environment is going to leak data without detection. That being said, maintaining proper network intrusion prevention/detection, host-based intrusion prevention/detection, anti-virus, and a responsive DFIR team will be useful.
·         More specifically, to block outbound communications, firewall ACLs can again be utilized to block communication.
·         User access controls and permissions can be useful in preventing damaging lateral movement.
 
Note that the preceding is, by no means, an exhaustive list. To pretend that infosec is the same as it was five minutes ago is a dream, and analysts should be prepared to be nimble. There is no single “do it all” tool that offers “push button” forensics and information security. But the right tools, when combined in the right environment, and with the right people, can go a long way in helping an organization keep its data where it should be.
 
Further Information:


Also Read: Daily Blog #329