Forensics

Investigation

Before investigation we have unclear information, hypothesis, partial data and unclear story. Main goal of forensic analysis is complete the picture (confirm hypothesis, uncover whole story,...).

When something suspicious happen it is common to investigate that - what, when, who, how,...?

It is crucial to ask the right questions - in order to find out the right answers.

Investigation is process from questions to answers (through hypothesis). It is crucial to verify hypothesis before going further. It should lead us, step by step. More over is it chain of consequences.

Typical questions

  • How attacker compromise machine?

  • What was his activity on machine?

Principles of forensic analysis

Consistent data

Main goal is not change analyzed system. Because gathering evidence creates also some artifacts it is a pretty hard task (at least memory will be changed).

Document, everything! When, who and what.

Always work with copy of created image (of original disc).

Chain of continuity

From evidence to results, eq. image of SD card contains pictures (selfies), EXIF information contains GPS data, this data points to physical location.

From that we can say - XY was at that date in that location.

Supports credibility of the analysis

Repeatability

Verification of analysis

  • Verification of results

  • Check by other analyst

Input data + analysts notes = repeatability of analysis

Supports credibility of analysis

Neutrality

Forensic analysis is about interpretation of evidence.

No judging, rating!

Focused only on facts!

Intelligibility

Not so skilled people in audience

Quick Play for Forensic Analysis

Definition

  • Specification of input data (disc image, memory, application logs, IoC,...)

  • Specification of analysis output (questions)

Analysis

  • Usage of appropriate tools and techniques

  • Document all steps

  • Answer all questions

Presentation

  • Final report

  • Presentation

Evidence gathering

Motivation

We have compromised system

We want to know what lead to compromise > we need evidence

Gathered data will be used as evidence for further analysis. Main goal is gather maximum of available data

  • Disc image (snapshot)

  • Memory image (snapshot)

  • Logs (system, application)

Gathering evidence

  1. Plan data acquisition

  2. Evidence gathering

  3. Verification of match (between original evidence and image)

Preparation

  • Which information do we need (logs, dics, memory)?

  • Where will be the data stored? How much storage do we need for that data?

  • How long it will take?

  • How will be documentation stored

    • Where will be notes?

    • Naming convention for evidence?

    • Which hashes will be used (MD5, SHA1, SHA256, SHA512), where will be stored?

  • In which order will be evidence gathered

    • Value of data (in terms of investigation)?

    • Amount of data?

    • Volatility (memory earlier than disc)?

  • Another sources of data

    • Application data (web server, mail server,...)

    • Network data (netflow, PCAP)

    • Security data (firewall, IDS)

  • Do we have log management policy? SIEM?

  • What about time zones

    • UTC or local?

    • Synchronized among all hosts?

Evidence collection

Gathering evidence should not modify data source. Every analyst step will (somehow) modify source (imaged system). Ideal will be shutdown, but this will lead with loss of data in memory.

It depends, when it is better to shutdown or image now (self-destructing malware vs. defaced web site).

Example of evidence gathering

  • Gathering volatila data (memory)

    • To new (forensic) disc

    • To remote system/storage

  • Boot from trusted source (USB)

    • Imaging disc volume

  • Gathering other non-volatile sources

  • Documenting steps

    • 2019-09-17 12:23 - USB inserted into infected machine

    • This will help with identifying of artifacts created by forensic steps.

Imaging system

When creating disc image - physical machine - have to be booted up from Live image (USB/network). Virtual machines could be snapshoted - it is easier and better.

Create disc image

Make sure that imaged disc is the right one!

$ dd if=/dev/sdaX of=/mnt/YYYY-MM-DD-caseXXX-machineID/sdaX bs=OOO conv=noerror,sync​

Create memory image

Memory of virtual machine could be snapshoted - it is easier and better (it is not poluting memory with artefacts of forensics).

Create & Verify

All optained data have to be hashed (MD5, SHA1, SHA256 and SHA512). It is impossible to find collision for all of the hashes.

Copy of copy

Always store image on safe place and create a (working) copy. So the original one is safe and secure. All investigation is done on copy of copy.

Incident response (gathering useful data)

Incident response script for gathering from Windows/Linux machines could be found here

Timeline analysis

Events with timestamps are useful in forensic. Should help us with building bigger picture - what happen, when, who opened the file,...

  • file system metadata

  • file metadata (EXIF, Prefetch,...)

  • logs (system, application, external - network based = PCAP or flow)

Most events contain time - app execution, file access/modify. There is evidence on file system. File metadata contain useful information (access, modify, change and birth).

It is ordered by time, subset of all events that happen on system.

Ideal is transform local time to UTC and then create supertimeline (from evidence based on UTC).

Useful framework is Sleuthkit, contains a lot of tools. For example: fls, mactime

fls utility create timeline from filesystem, recursively from top - / - to the last file present.

$ fls -r -m / <PATH-TO-IMAGE> > caseXXX-machineID-sdaX-filesystem-tml.txt​

mactime will create human-readable timeline

$ mactime -y -d -b caseXXX-machineID-sdaX-filesystem-tml.txt > caseXXX-machineID-sdaX-filesystem-mactimes.txt​

log2timeline (perl)

  • support file system (image have to mounted)

log2timeline.py (Plaso framework)

  • modular, custom parsers

  • supports images

Another approach to timeline

Linux

find / -xdev -print0 | xargs -0 stat -c "%Y %X %Z %A %U %G %n" >> timestamps.dat
timeline-decorator.py < timestamps.dat | sort -n > timeline.txt
#!/usr/bin/python
# nixon's security @ taipei
#find / -xdev -print0 | xargs -0 stat -c "%Y %X %Z %A %U %G %n" >> timestamps.dat
#timeline-decorator.py < timestamps.dat | sort -n > timeline.txt

import sys, time
def print_line(flags, t, mode, user, group, name):
	print t, '\"'+time.ctime(float(t))+'\"', flags, mode, user, group, name

for line in sys.stdin:
	line = line[:-1]
	(m, a, c, mode, user, group, name) = line.split(" ", 6)
	if m == a:
		if m == c:
			print_line("mac", m, mode, user, group, name)
		else:
			print_line("ma-", m, mode, user, group, name)
			print_line("--c", c, mode, user, group, name)
	else:
		if m == c:
			print_line("m-c", m, mode, user, group, name)
			print_line("-a-", a, mode, user, group, name)
		else:
			print_line("m--", m, mode, user, group, name)
			print_line("-a-", a, mode, user, group, name)
			print_line("--c", c, mode, user, group, name)

Supertimeline

Main goal is put together all timelines (filesystem, applications, network) together for context and better picture.

Background behind supertimeline is described in SANS blog post.

Memory Analalysis

Memory is great source of useful information.

Volatility is awesome tool, let's find out what is the image info

vol.py -f <PATH TO DUMP> imageinfo​# Get information about processes​vol.py -f <PATH TO DUMP> psscan

Forensic Tools

Link to useful forensic tools and resources

How to write and present report of Investigation

Audience could be different, from CEO to more skilled people than you are.

Investigation report

Management summary

  • One comprehensive paragraph about investigation (including key things)

Input definition

  • Input data

  • Questions

  • Complete task should be part of attachments

Process of analysis

  • How do we get the results

    • including graphs, charts,... in order to provide readability

Summary

  • Summary of analysis

  • Timeline - what happen, when,...

  • Answers to questions

List of abbreviations

  • All used

Discussion

Presentation of Investigation

Input definition

  • Input data

  • Questions

Process of analysis

  • How do we get the results

Summary

  • Summary of analysis

  • Timeline - what happen, when,...

  • Answers to questions

Attachments

  • Every attachment including only one specific problem/subproblem

Resources

PreviousIntro to DFIR: The Divide and Conquer ProcessNextForensics Hints

Last updated