Triage - Live Data Forensics

Triage & DFIR
Cesar Lorenzana
Copyright © 2018 todos los derechos reservados

Live Data Forensic
• Concept - Get maximum information
while the computer is on
• It will be carried out in many of our
investigations
• Objective: preserve volatile evidences,
especially ram memory and collect
system information

Triage
• Concept: from the medical sector. Set
of actions that an examiner carries out
to have an overall idea of the system to
be examined and determine the
relevance and priority of the evidence
to be collected.
• Objective: To begin the forensic
examination for those indications that
are crucial in the investigation and that
could disappear.

Risks
• Data collection presents some risks
• Press a key, connect a pendrive, execute an application ...
EVERYTHING modifies the system. (Locard)
• Objective: to collect the information minimizing the alteration
of the system and thoroughly documenting the entire
process.
• Purists: Do not touch anything!
• Pull the plug?

Waking Up the device
• Move the mouse or touch • Prees a key….
the trackpad – Alt
– Ctrl
– Shift

Gathering Data
• There is no way to avoid making changes to the system

• Objective: to collect as much information as possible with the
lowest "footprint"
• The order in which the data is captured can be crucial in the
investigation - we must follow the correct order of volatility

What data do we need ?
– Information describing the current state of the
system:
• Network connections, internet connection, IP address ...
• Processes running in the system
• Volumes or encrypted files
• Users, date and time of the system
• Open files
• Clipboard content
• Command history
• Network units mapped
• In general, any information that might disappear.

“Live response” Tools
• An LR tool should get:

– Date, time and time zone of the system
– Operating system version
– General system information (memory size, hard disk (s), file system)
– Services and applications configured at system startup (Web
servers, databases, email applications, antivirus ...)
– Scheduled tasks
– Local user account and group to which it belongs

“Live response” Tools
• An LR should also extract:
– Details of the network interface (IP address and MAC of the device)
– Routing tables, ARP tables, DNS cache ..
– Drivers or loaded modules
– Device configuration information
– History of "login" of the user, name of the user, duration of the
sessions ...
– List of installed software (browsers, antivirus, encryption software,
various applications ...]

Mandiant´s Redline
• Mandiant's Redline: "GUI" tool that can both extract
information and analyze the extraction

Mandiant´s RedLine Settings

Mandiant´s RedLine Settings (II)

Mandiant´s RedLine Settings (III)

Mandiant´s RedLine Settings (IV)

Mandiant´s RedLine Settings (V)

Running Mandiant´s RedLine

Remote Gathering Reports
Copyright © 2018 todos los derechos reservados 17

Docker

Get Rapid Response (GRR)

Deploying GRR
Launch a docker instance:
docker run
--name grr-server
-e EXTERNAL_HOSTNAME=“localhost”
-e ADMIN_PASSWORD="demo"
--ulimit nofile=1048576:1048576
-p 0.0.0.0:8000:8000 -p 0.0.0.0:8080:8080
grrdocker/grr:v3.2.3.2 grr
Credentials: admin/demo
Stop the docker: docker stop grr-server

Delete the docker: docker rm grr-server
Get Rapid Response

Systeminfo

msconfig

Linux - Fast IR Collector

Fast IR Collector
Tool written in Python 2.7
It must be executed as root
Results in CSV

Fast IR Collector

Mac OS
• Recon (Sumuri) (Commercial & Paid Tool)

Mac OS
MAC_APT: https://github.com/ydkhatri/mac_apt/wiki

Mac OS

Volatile Data: RAM Memory
• RAM (Random Access Memory): type of memory
characterized by needing electrical flow to preserve
information.

Dataflow

Types of RAM
• SRAM (static Ram): faster than DRAM but more expensive
(CPU registers of the CPU, internal CPU caches, hard disk
buffers ...)
• DRAM (Dynamic Ram): More rapid than a hard drive but
slower than the SRAM

Data of Interest in RAM
• Running processes and open ports
• Passwords without encryption (usually encrypted on disk)
• Data unencrypted
• Logged user
• System information
• Connected devices

Dumping the RAM

RAM Analysis

Volatilityfoundation.org

Parameters & Plugins

Parameters & Plugins

Pslist, Psscan y Pstree
Pslist: Shows the processes that were running at
the time of the dump. Does not show "unlinked" or
hidden processes
Pstree: shows the processes in the form of a tree.
Psscan: Shows all processes, even hidden and
unlinked. Even processes that have ended but were
still in memory.
./volatility_2.6_mac64_standalone -f WXP-20111114-110129.img
--profile=WinXPSP2x86 pslist

DLLLIST
dlllist: Shows the libraries that are loaded by a
process. With -p [PID], it shows only the PID process
--profile=WinXPSP2x86 dlllist – p [PID]

DLLDUMP
dlldump: extracts all the libraries loaded in memory.
Possibility that part of the library is not in memory
because it is in paging files.
--profile=WinXPSP2x86 dlldump

Getsids, cmdscan & consoles
getsisds: obtains the security identifiers associated
with a process. Useful to identify privilege scales.
Cmdscan: shows a history of commands entered in
the terminal. Only valid until windows 7 inclusive.
Consoles: similar to cmdscan but with more detailed
information. Shows the output on the screen of the
commands executed.

Verinfo & Procdump
verinfo: shows information of the PE and the
libraries loaded in memory.
procdump: it extracts the executable that we say
[PID]. If the executable is fully loaded in memory, it
will be operative, in case of paging we can consult :
http://computer.forensikblog.de/en/2006/04/reconstructing-a-
binary-1.html#more
./volatility_2.6_mac64_standalone -f WXP-20111114-110129.img --
profile=WinXPSP2x86 procdump -D salida/ -p 3912

Evtlogs, filescan, connections & Iehistory
Evtlogs: shows the events loaded in memory.

Filescan: shows open files as well as file
permissions. It obtains information even if a rootkit
is hiding the opening.
Connections: shows the TCP connections
established by the machine.
Iehistory: shows the browsing history of internet
explorer as well as parts of the browser cache.

Sockets, hivelist, hashdump, dumpregistry
Sockets: shows those sockets (TCP, UDP, Raw ...)

that are listening on the examined machine.
Hivelist: shows the location and offset of the hive file
inside the memory.
Hashdump: shows the hashes of the user keys of
the system. They can be cracked using John the
ripper, Rainbow tables ...
Dumpregistry: extracts the windows registry loaded
in memory

Mbrparser & much more
mbrparser: shows the master boot record of the

machine.
Complete list of plugins :
https://github.com/volatilityfoundation/volatility/bl
ob/master/README.txt

Tools
• Sysinternals • Third Party Software
– File and disk utilities – Crack password SO
– Network and processes • Koonbot
– Security • L0phtcrack...
– Forensic Live OS
• Caine
• Deft...
– Utilidades RAM
• Volix
• Strings
• Had3s

Nirsoft – Web browser pass view

Nirsoft – Live contacts view

Nirsoft – Mail Pass view

Nirsoft – Opened files view

Nirsoft – Outlook address book view

Nirsoft – Password security scanner

Nirsoft – Pst Password

Nirsoft – Skype contacts view & Skype log
view

Nirsoft – Users profile view

Nirsoft – My Uninstaller

Nirsoft Video cache view

Nirsoft – Web browser pass view

Nirsoft – What in startup

Nirsoft – Who is connected

Nirsoft – Log on view

Nirsoft – Prefetch view

Nirsoft - Wireless

Nirsoft - Launcher

Security Xploded – Password decoder

Security Xploded - Bitcomet

Security Xploded – Browser Password decryptor

Security Xploded – Chrome autofill

Security Xploded – Facebook history

Security Xploded – Facebook password

Security Xploded – Firefox autofill

Security Xploded – Instagram password

Security Xploded – Itunes password

Security Xploded – Linkedin password

Security Xploded – messenger password

Security Xploded – Pinterest password

Security Xploded – Social networks passwords

Security Xploded – Twitter Password

Security Xploded – Wifi password

Security Xploded–Yahoo password

Sysinternals – Disk Monitor

Sysinternals – Process explorer

Sysinternals – Ram map

Sysinternals – TcpView

Sysinternals – Strings

Sysinternals – Coreinfo

Triage - Live Data Forensics

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Triage - Live Data Forensics

Загружено:

Авторское право:

Triage & DFIR

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

• There is no way to avoid making changes to the system

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

• An LR tool should get:

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados 17

Copyright © 2018 todos los derechos reservados 18

Copyright © 2018 todos los derechos reservados 19

Stop the docker: docker stop grr-server

Copyright © 2018 todos los derechos reservados 21

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados 26

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

--profile=WinXPSP2x86 dlllist – p [PID]

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Evtlogs: shows the events loaded in memory.

Copyright © 2018 todos los derechos reservados

Sockets: shows those sockets (TCP, UDP, Raw ...)

Copyright © 2018 todos los derechos reservados

mbrparser: shows the master boot record of the

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados

Copyright © 2018 todos los derechos reservados