What is Live Forensics?

• Live forensics collects all of the relevant data from the system that will be used to confirm whether an incident occurred
• To gather volatile information form compromised PCs
  • Data in Random Access Memory (RAM) is lost once power switched off
  • A lot of information lost is impossible to reconstruct from static forensic analysis.
• For instance - processes running, network connection Information, open files, clipboard information etc.

• The evolution of the enterprise network. Many companies:
  • Have multiple computers at a single location
  • Have several locations in a city, country, or continent
• It is our first reaction, we don't necessarily assume
  • We are under attack
  • Our systems have been compromised
• Investigators don't have to physically respond to the location to address the issue until they are satisfied with their initial inquiry
• This methodology will help conserve resources
• Big Data
  • 2TB Drive less than £100
  • 2TB disk drive could take more than 1 hour (30GB per minute) to image
• A data centre server
  • It has 63PB capacity
  • You have an ICS Image MASSter which images at 94.5GB per minute
  • How long do you think it will take to image 63PB (onto another 63PB drive! Must be kidding me!)?
• Encryption
  • If data is strongly encrypted, forensic Images will be just gibberish
  • Realistically, one can only rely on live or memory forensics
• If the suspect is using BestCrypt and doesn't have time to unmount the drives
  • The drives image will be in memory (at least part of it) UNENCRYPTED
  • You can extract process memory
• Malware
  • Malware likes RAM these days.
  • It won't leave a trace on the hard drive. E.g., Meterpreter!
  • Internal malicious users are hard to track without live memory.

Some examples:

• Internal fraud/malicious activity
• Malware. Trojan Defence. Almost always required
• Incident disclosure is a stick by law. Beware of the red herring
• Large networks - needs isolations of subset of infected machines
• High value e-commerce and critical systems

Static Analysis: Static program analysis is the analysis of computer programs performed without executing them

Dynamic Analysis: Dynamic program analysis is the act of analysing software that involves executing a program and recording changes made to the system.

• The system is live
  • Any tool you run will have a footprint which could be destroying evidence
• Validation of tools used by you during an incident should be run in a lab and its footprint should be documented
  • Is the tool you are using accurately? - Cross-Validate with similar tool if possible
  • Static and Dynamic analysis should be carried out
• Understand and establish your robust tool validation model
  • Document the model
  • The same model could also be used for malware analysis - kill two birds!

• Some volatile data are more volatile than others
  • Need to collect data from more volatile to less volatile
  • Establish a list of activities to perform in order
• The order of volatility is also determined by the scenario
  • Procedure for malware is different from malpractice

1. Carry a CD/USB with validated live forensics toolkit
2. Use a trusted version of cmd.exe from a read only media (CD/USB) - Malware could inject the USB so this makes sure no changes can be made
3. Collect system date and time
4. Extract physical memory
5. Extract logged on users' information
6. Extract network connection and open port information
7. Extract DNS queries and hostnames
8. Extract information about all running processes
9. Map open ports to processes
10. Extract information about all the services and drivers
11. Extract information about all open files
12. Extract information about all the mapped drives and shares
13. Get command line history
14. Examine if there are any unauthorised groups, users or shares
15. Any scheduled tasks
16. Extract clipboard contents
17. Get audit policy

• Highest on the order of volatility list from a live forensics' perspective
• When a live forensics tool runs on a live machine, it is loaded in the RAM, hence, changing its content
  • Important information could have been paged! You just can't quantify the side effects as this is very random
  • For instance, pslist pollutes memory
  
• If Live Acquisition is done first, then we are safe to go ahead and run our tools on the live system

Collect System Date and Time

• It is the first and the last thing to do during an investigation
• It helps investigator correlate and timeline incidents
• Use trusted cmd.exe to run
  • time /t and
  • date /t
• Document any discrepancies

Extract System Information

• Use built-in commands to extract host name, username and OS version
  • hostname - prints the computer name
  • whoami - prints current username
  • ver - gets OS version
  
• Get system information like Uptime, OS version, Processor and Memory
  • Many tools available. For instance, PSinfo.
  

• What is required
  • Username
  • Remote or Local
  • Login duration
  • Shares and files owned and accessed by each user
  • Processes owned by each user
  • Network connections associated with each user
• Always use different tools to cross validate each other
• Psloggedon
  • Displays local (on keyboard) and remote users logged on.
  • Also displays users that have accessed resource shares.
  
• net sessions
  • Native command
  • Gives client types and also the IP addresses of remote login sessions
  • It also shows the number of files open remotely and duration of the remote session
• net users
  • Native command
  • Reports a brief description of the last time a local user logged on. Information is extracted from Registry
  
• LogonSessions
  • Provides the Security ID which is assigned by the domain controller to establish access /privileges according to an access control list.
  • The Authentication protocol used - NTLM, Kerberos etc.
  • -p option also list processes running under each session
  • The session type: service, network and interactive
  
• Well Known SIDs
  • SID is unique identified for any entity that requires access check before accessing an object. SID is matched with Security Descriptor to give access to files, directory, executable etc.

• ipconfig /all
  • Will provide IP address, default gateway, subnet mask and DNS server
  • This information is mandatory when correlating with network related logs like IDS, firewall, proxy server and event-viewer logs
  • It will provide context for further steps in live forensics and also nonvolatile forensics
  
• promiscdetect.exe
  • If the Network Interface Card (NIC) is in Promiscuous Mode then there is a chance that it is being used as a sniffer.
  • Simply use a trusted copy of promiscdetect.exe from your toolkit
  • A clear warning of promiscuous mode will be displayed. Else only directed, broadcast and multicast modes will be listed
  
• URLProtocolView.exe
  • Find out all enabled network protocols
  • Some enabled protocols are susceptible to exploits or are indications of an exploit (e.g. IRC Chat)
  • URLProtocolView.exe from nirsoft is an excellent tool. It provides the processes that are currently registered to enabled protocols (a protocol needs to be registered with a process to be used).
  

• Get current and recent network activity
• Very Important to know. Why?
  • Current: To determine if the attacker is currently on the system before you continue. If so then beware of counter surveillance
  • Current and recent: Test for malware calling back home - URL, IP address of attacker. Find other compromised PCs on the network
• What are we interested in?
  • Active network connections
  • DNS queries made
  • ARP
  • NETBIOS name tables
• netstat -ano
  • Active Connections - Gives the following:
    • Protocol - UDP or TCP
    • Local IP address and port
    • Foreign IP address and port
    • State - Established or listening
    • PID - Process ID
  • Every network connection has to have a process associated with it - the process could be malware. Important clues!
  • Ports reveal a story, there are famous ports 80 for http or 6667 for IRC protocol for bots!
  • PID will be later mapped to Process.
  
• ipconfig /displaydns
  • DNS Queries
  • Systems have a record of recent DNS name resolutions made
  • Sometimes malicious domains are blacklisted, and this information is readily available. Free honeypots http://www.threatlog.com/ and commercial services
  
• arp -a
  • ARP Cache
  • ARP protocol Maps MAC address to IP addresses at layer 2
  • ARP protocol not routable to the Internet
    • Only useful to find internal attacks or detect other compromised PCs on the network
  • When a MAC address (of a remote PC) gets associated with an IP address, it is recorded in an ARP cache or table.
    • The host can map a MAC address to IP address. This establishes the recent connection environment of a victim PC
  • For each NIC, MAC address and IP address of its neighbours is recorded
  
• NETBIOS names cache
  • Windows file shares and printer shares use NETBIOS sessions over TCP
  • Worms, Trojans and bots like these very much to spread in a network. NETBIOS name cache is helpful to find other compromised machines
  • Internal or external hacker can query other vulnerable machines in the network using net view for example, without raising suspicion
  • Recent NETBIOS sessions will be in the volatile memory. Tools can provide the NETBIOS names to IP address mapping
  • Use nbtstat -c to display the NETBIOS remote PC name cache for each NIC as well as the remote IP address
  • Use net sessions to display recent and current NETBIOS Sessions
  • The best - use net file to list any recent file transfers using a NETBIOS sessions

• Collection of process information is not sufficient
• Process context is needed to crack
  • Because malware tries to hide and blend into the system - svchosts. This can confuse the investigator. But if we for example can detect WINSOCK library dependency in svchost - something is wrong! Context Is King
• More is needed. The information gathered so far will help too.
• What context should you collect?
  • Process Name and PID
  • Memory usage
  • Process to application and process to user mapping.
  • Process tree - parent child relationship
  • Associated object handles
  • Library Dependencies
  • Command line used to invoke a process.
  • Memory content

• tasklist
  • Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer
• pslist
  • Shows timeline - process up time. If the time at which the process started coincides with the time at which the symptoms started, then the process can be isolated. Also, other associated events at similar time window should be suspicious e.g., event logs, service start-ups , packets transferred (Wireshark)
  • Also shows CPU utilisation - can be indicative of activity on an idle PC. Processes that seem benign can be isolated as malware
• pv.exe -e
  • Will map each process to the path of the exact executable on the system
  • If process not running form the normal location, then it's worth investigating the process further e.g. svchosts, spoolsv should be in system32
  
• cprocess.exe /stext <filepath>
  • Gets all the details you need to know about mapping process to executable
  • Reveals the user who owns a process
  • Look for important clues like – if spoolsv belongs to an anonymous user instead of NT Authority/system then there is something wrong
  
  
• pslist -t
  pv.exe -t
  • Process Tree
  • Sometime processes spawn additional processes - anonymous processes
  • Once a malicious process has been identified find all its children
• pv.exe -l
  • Command line parameters
  • Once rogue processes have been found, dig deeper to finding out the command line parameters that were used to launch the malware
  • Often helps in locating other processes that are related to the malicious one, as shared resources may be accessed via command line parameters
• listdlls.exe <processname>
  • DLL Dependencies
  • Static vs dynamic linking?
    • Static - one large executable with all the libraries compiles into it
    • Dynamic - smaller executable - loader loads the library from native system at run time, when needed
  • Malware payload needs to be small in order to be stealthy - so it uses native libraries/dll and loads them dynamically.
  • Very important volatile information as can give clues on what functionality the rogue process has.
    • E.g., if the process is loading - \system32\WINSOCK2.dll then most probably it is connecting to a remote host / calling back.
  • Also, a very important signature - distinguish between chameleon and real processes.
  

• netstat -anb
  • Using netstat -ano maps open IP address and Port to PID. Using netstat -anb maps it to process.

• Services are long running processes that run in the background under non-interactive user account. They can be configured to run under normal user account too.
• Perfect place for malware to reside - hidden
• What?
  • Service and Display Name
  • Start-up type
  • Current Status
  • Description and dependencies
  • User/Non-interactive account
  • PID
  • Exe path
• Use serviwin /stext services log.log. The output will appear in log.log.
• Can also use psservice from sys internals

Drivers

• Drivers can run in kernel land and has unlimited access to system resources. Rootkits are installed and hidden by drivers. Rootkits can be detected during live acquisitions
• Use serviwin again this time for drivers
  • serviwin /stext drivers log.log
  • Driveview /stext log.log

• Open File Enumeration - Opened Locally
  • OpenedFilesView displays the list of all opened files on your system.
    • For each opened file, additional information is displayed: handle value, read/write/delete access, file position, the process that opened the file, and more...
• Open File Enumeration - Opened Remotely
  • net file provides all files open on the system
    • But truncated long file name can be very bad for Incident Response...
  • psfile provides full names for files open on the system
    • Unauthorised remote access to a file almost always means a compromised network
• Recently Accessed Files
  • Interesting in case of malicious insider, who hasn't had to clear the recent document folder
  • Two sources of information
    • C:\Users\[Your Profile]\AppData\Software\Microsoft \Windows\Recent
    • When file opened with save/open dialog box it is stored in - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
  • recentfileview.exe
    • Recentfileview.exe /stext rf.log
    • Display the list of all recently opened files, and allows you to delete unwanted filename entries. You can also save the files list into text/html/xml file.

• Find out shares, could be indications of malicious insider activity
• Use net share command or use share.exe

• More useful for insider attacker, remote malicious cmd.exe will not usually be visible.
• Unlike Linux systems there is no keystroke logging of the commands executed on bash.
• No such luck on windows.
• Only possible to extract cmd history if the cmd.exe was left open.
• If acquired then very useful - file name , IP addresses , executables recently executed and shutdown and more...
• Use doskey /history

• Logic bombs
• Can be used by insiders and malware
• Used by malware to remain undetected
• Use windows native schtasks /query to check any unusual scheduled tasks

• Can provide a lot of information about insider malicious activity like:
  • Attack commands
  • Usernames
  • Passwords for file encryptions
  • Host names of other compromised endpoints
  • IM chat
  • And other depending on context, so always prudent to catch these
• Use a pclip.exe