Scribd
Upload
155 views89 pages

Triage - Live Data Forensics

forensics

Uploaded by

Peter Punky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
155 views89 pages

Triage - Live Data Forensics

forensics

Uploaded by

Peter Punky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
You are on page 1/ 89

Triage & DFIR

Cesar Lorenzana

Copyright © 2018 todos los derechos reservados


Live Data Forensic
• Concept - Get maximum information
while the computer is on
• It will be carried out in many of our
investigations
• Objective: preserve volatile evidences,
especially ram memory and collect
system information

Copyright © 2018 todos los derechos reservados


Triage
• Concept: from the medical sector. Set
of actions that an examiner carries out
to have an overall idea of the system to
be examined and determine the
relevance and priority of the evidence
to be collected.
• Objective: To begin the forensic
examination for those indications that
are crucial in the investigation and that
could disappear.

Copyright © 2018 todos los derechos reservados


Risks
• Data collection presents some risks
• Press a key, connect a pendrive, execute an application ...
EVERYTHING modifies the system. (Locard)
• Objective: to collect the information minimizing the alteration
of the system and thoroughly documenting the entire
process.
• Purists: Do not touch anything!
• Pull the plug?

Copyright © 2018 todos los derechos reservados


Waking Up the device
• Move the mouse or touch • Prees a key….
the trackpad – Alt
– Ctrl
– Shift

Copyright © 2018 todos los derechos reservados


Gathering Data

• There is no way to avoid making changes to the system


• Objective: to collect as much information as possible with the
lowest "footprint"
• The order in which the data is captured can be crucial in the
investigation - we must follow the correct order of volatility

Copyright © 2018 todos los derechos reservados


What data do we need ?
– Information describing the current state of the
system:
• Network connections, internet connection, IP address ...
• Processes running in the system
• Volumes or encrypted files
• Users, date and time of the system
• Open files
• Clipboard content
• Command history
• Network units mapped
• In general, any information that might disappear.

Copyright © 2018 todos los derechos reservados


“Live response” Tools

• An LR tool should get:


– Date, time and time zone of the system
– Operating system version
– General system information (memory size, hard disk (s), file system)
– Services and applications configured at system startup (Web
servers, databases, email applications, antivirus ...)
– Scheduled tasks
– Local user account and group to which it belongs

Copyright © 2018 todos los derechos reservados


“Live response” Tools
• An LR should also extract:
– Details of the network interface (IP address and MAC of the device)
– Routing tables, ARP tables, DNS cache ..
– Drivers or loaded modules
– Device configuration information
– History of "login" of the user, name of the user, duration of the
sessions ...
– List of installed software (browsers, antivirus, encryption software,
various applications ...]

Copyright © 2018 todos los derechos reservados


Mandiant´s Redline
• Mandiant's Redline: "GUI" tool that can both extract
information and analyze the extraction

Copyright © 2018 todos los derechos reservados


Mandiant´s RedLine Settings

Copyright © 2018 todos los derechos reservados


Mandiant´s RedLine Settings (II)

Copyright © 2018 todos los derechos reservados


Mandiant´s RedLine Settings (III)

Copyright © 2018 todos los derechos reservados


Mandiant´s RedLine Settings (IV)

Copyright © 2018 todos los derechos reservados


Mandiant´s RedLine Settings (V)

Copyright © 2018 todos los derechos reservados


Running Mandiant´s RedLine

Copyright © 2018 todos los derechos reservados


Remote Gathering Reports

Copyright © 2018 todos los derechos reservados 17


Docker

Copyright © 2018 todos los derechos reservados 18


Get Rapid Response (GRR)

Copyright © 2018 todos los derechos reservados 19


Deploying GRR
Launch a docker instance:

docker run
--name grr-server
-e EXTERNAL_HOSTNAME=“localhost”
-e ADMIN_PASSWORD="demo"
--ulimit nofile=1048576:1048576
-p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080
grrdocker/grr:v3.2.3.2 grr

Credentials: admin/demo

Stop the docker: docker stop grr-server


Delete the docker: docker rm grr-server
Copyright © 2018 todos los derechos reservados 20
Get Rapid Response

Copyright © 2018 todos los derechos reservados 21


Systeminfo

Copyright © 2018 todos los derechos reservados


msconfig

Copyright © 2018 todos los derechos reservados


Linux - Fast IR Collector

Copyright © 2018 todos los derechos reservados


Fast IR Collector
Tool written in Python 2.7
It must be executed as root
Results in CSV

Copyright © 2018 todos los derechos reservados


Fast IR Collector

Copyright © 2018 todos los derechos reservados 26


Mac OS
• Recon (Sumuri) (Commercial & Paid Tool)

Copyright © 2018 todos los derechos reservados


Mac OS
MAC_APT: https://github.com/ydkhatri/mac_apt/wiki

Copyright © 2018 todos los derechos reservados


Mac OS

Copyright © 2018 todos los derechos reservados


Volatile Data: RAM Memory
• RAM (Random Access Memory): type of memory
characterized by needing electrical flow to preserve
information.

Copyright © 2018 todos los derechos reservados


Dataflow

Copyright © 2018 todos los derechos reservados


Types of RAM
• SRAM (static Ram): faster than DRAM but more expensive
(CPU registers of the CPU, internal CPU caches, hard disk
buffers ...)
• DRAM (Dynamic Ram): More rapid than a hard drive but
slower than the SRAM

Copyright © 2018 todos los derechos reservados


Data of Interest in RAM
• Running processes and open ports
• Passwords without encryption (usually encrypted on disk)
• Data unencrypted
• Logged user
• System information
• Connected devices

Copyright © 2018 todos los derechos reservados


Dumping the RAM

Copyright © 2018 todos los derechos reservados


RAM Analysis

Copyright © 2018 todos los derechos reservados


Volatilityfoundation.org

Copyright © 2018 todos los derechos reservados


Parameters & Plugins

Copyright © 2018 todos los derechos reservados


Parameters & Plugins

Copyright © 2018 todos los derechos reservados


Pslist, Psscan y Pstree
Pslist: Shows the processes that were running at
the time of the dump. Does not show "unlinked" or
hidden processes
Pstree: shows the processes in the form of a tree.
Psscan: Shows all processes, even hidden and
unlinked. Even processes that have ended but were
still in memory.
./volatility_2.6_mac64_standalone -f WXP-20111114-110129.img

--profile=WinXPSP2x86 pslist

Copyright © 2018 todos los derechos reservados


DLLLIST
dlllist: Shows the libraries that are loaded by a
process. With -p [PID], it shows only the PID process
./volatility_2.6_mac64_standalone -f WXP-20111114-110129.img

--profile=WinXPSP2x86 dlllist – p [PID]

Copyright © 2018 todos los derechos reservados


DLLDUMP
dlldump: extracts all the libraries loaded in memory.
Possibility that part of the library is not in memory
because it is in paging files.
./volatility_2.6_mac64_standalone -f WXP-20111114-110129.img

--profile=WinXPSP2x86 dlldump

Copyright © 2018 todos los derechos reservados


Getsids, cmdscan & consoles
getsisds: obtains the security identifiers associated
with a process. Useful to identify privilege scales.
Cmdscan: shows a history of commands entered in
the terminal. Only valid until windows 7 inclusive.
Consoles: similar to cmdscan but with more detailed
information. Shows the output on the screen of the
commands executed.

Copyright © 2018 todos los derechos reservados


Verinfo & Procdump
verinfo: shows information of the PE and the
libraries loaded in memory.
procdump: it extracts the executable that we say
[PID]. If the executable is fully loaded in memory, it
will be operative, in case of paging we can consult :
http://computer.forensikblog.de/en/2006/04/reconstructing-a-
binary-1.html#more

./volatility_2.6_mac64_standalone -f WXP-20111114-110129.img --
profile=WinXPSP2x86 procdump -D salida/ -p 3912

Copyright © 2018 todos los derechos reservados


Evtlogs, filescan, connections & Iehistory

Evtlogs: shows the events loaded in memory.


Filescan: shows open files as well as file
permissions. It obtains information even if a rootkit
is hiding the opening.
Connections: shows the TCP connections
established by the machine.
Iehistory: shows the browsing history of internet
explorer as well as parts of the browser cache.

Copyright © 2018 todos los derechos reservados


Sockets, hivelist, hashdump, dumpregistry

Sockets: shows those sockets (TCP, UDP, Raw ...)


that are listening on the examined machine.
Hivelist: shows the location and offset of the hive file
inside the memory.
Hashdump: shows the hashes of the user keys of
the system. They can be cracked using John the
ripper, Rainbow tables ...
Dumpregistry: extracts the windows registry loaded
in memory

Copyright © 2018 todos los derechos reservados


Mbrparser & much more

mbrparser: shows the master boot record of the


machine.
Complete list of plugins :
https://github.com/volatilityfoundation/volatility/bl
ob/master/README.txt

Copyright © 2018 todos los derechos reservados


Tools
• Sysinternals • Third Party Software
– File and disk utilities – Crack password SO
– Network and processes • Koonbot
– Security • L0phtcrack...
– Forensic Live OS
• Caine
• Deft...
– Utilidades RAM
• Volix
• Strings
• Had3s

Copyright © 2018 todos los derechos reservados


Copyright © 2018 todos los derechos reservados
Nirsoft – Web browser pass view

Copyright © 2018 todos los derechos reservados


Nirsoft – Live contacts view

Copyright © 2018 todos los derechos reservados


Nirsoft – Mail Pass view

Copyright © 2018 todos los derechos reservados


Nirsoft – Opened files view

Copyright © 2018 todos los derechos reservados


Nirsoft – Outlook address book view

Copyright © 2018 todos los derechos reservados


Nirsoft – Password security scanner

Copyright © 2018 todos los derechos reservados


Nirsoft – Pst Password

Copyright © 2018 todos los derechos reservados


Nirsoft – Skype contacts view & Skype log
view

Copyright © 2018 todos los derechos reservados


Nirsoft – Users profile view

Copyright © 2018 todos los derechos reservados


Nirsoft – My Uninstaller

Copyright © 2018 todos los derechos reservados


Nirsoft Video cache view

Copyright © 2018 todos los derechos reservados


Nirsoft – Web browser pass view

Copyright © 2018 todos los derechos reservados


Nirsoft – What in startup

Copyright © 2018 todos los derechos reservados


Nirsoft – Who is connected

Copyright © 2018 todos los derechos reservados


Nirsoft – Log on view

Copyright © 2018 todos los derechos reservados


Nirsoft – Prefetch view

Copyright © 2018 todos los derechos reservados


Nirsoft - Wireless

Copyright © 2018 todos los derechos reservados


Nirsoft - Launcher

Copyright © 2018 todos los derechos reservados


Security Xploded – Password decoder

Copyright © 2018 todos los derechos reservados


Security Xploded - Bitcomet

Copyright © 2018 todos los derechos reservados


Security Xploded – Browser Password decryptor

Copyright © 2018 todos los derechos reservados


Security Xploded – Chrome autofill

Copyright © 2018 todos los derechos reservados


Security Xploded – Facebook history

Copyright © 2018 todos los derechos reservados


Security Xploded – Facebook password

Copyright © 2018 todos los derechos reservados


Security Xploded – Firefox autofill

Copyright © 2018 todos los derechos reservados


Security Xploded – Instagram password

Copyright © 2018 todos los derechos reservados


Security Xploded – Itunes password

Copyright © 2018 todos los derechos reservados


Security Xploded – Linkedin password

Copyright © 2018 todos los derechos reservados


Security Xploded – messenger password

Copyright © 2018 todos los derechos reservados


Security Xploded – Pinterest password

Copyright © 2018 todos los derechos reservados


Security Xploded – Social networks passwords

Copyright © 2018 todos los derechos reservados


Security Xploded – Twitter Password

Copyright © 2018 todos los derechos reservados


Security Xploded – Wifi password

Copyright © 2018 todos los derechos reservados


Security Xploded–Yahoo password

Copyright © 2018 todos los derechos reservados


Sysinternals – Disk Monitor

Copyright © 2018 todos los derechos reservados


Sysinternals – Process explorer

Copyright © 2018 todos los derechos reservados


Sysinternals – Ram map

Copyright © 2018 todos los derechos reservados


Sysinternals – TcpView

Copyright © 2018 todos los derechos reservados


Sysinternals – Strings

Copyright © 2018 todos los derechos reservados


Sysinternals – Coreinfo

Copyright © 2018 todos los derechos reservados

You might also like