You are only as good as your toolset!
In my last blog I asked the question, “Have you ever tried to chop down a tree with a fork?” and told you about an incident response process that was made difficult by the lack of adequate tools. This is a common problem in the field of incident response and security as a whole, and shouldn’t exist. Unfortunately, however, many system administrators, network administrators and help desk personnel assume they can handle an incident, when in reality it is far more complex than they are aware.
A basic introduction to incident response is beyond the scope of this blog, but I do want to introduce the reader to the “Order of Volatility.” This is a common methodology that is taught across the security spectrum. It provides the responder with the ability to gather evidence from the more volatile to the less. This is extremely important when responding to breaches or malware infections. So, let us review the order of volatility and while we walk through that, we will add some tools that can help you gather evidence in each stage.
Beginning at the most volatile and the most commonly sought after item of evidence, we can talk about network information present in the computer. This would consist of the routing table, ARP cache, network connections and other similar items. This type of information is lost when a computer loses power and can’t be recovered once it is gone. In order to gather this information we must interact with the system which can lead to the contamination of evidence. So, document, document, document! Make sure that you are keeping a clear and accurate record of any actions and tools you use when gathering evidence from a live system.
So, how does one go about gathering this type of information? The easiest and best tool around is the Windows Sys Internals suite of tools available at https://technet.microsoft.com/en-us/sysinternals/default. This is a set of free tools, primarily intended for system administrators and troubleshooting various problems, but also extremely useful for incident response activities. The suite includes such useful tools as PsFile, which shows any files that are opened remotely, and PsTools, a suite of command line tools that list running processes, either remotely or locally, and allows you to dump event logs and more. ShareEnum is a handy tool that scans files on your network and can be extremely helpful during a ransomware infection. TCPView allows the user to view active sockets on a system. The full list of tools is extensive and I would highly recommend having this tool in your toolkit for incident response.
Another superb tool that actually assists across multiple layers of the volatility chart is Carbon Black (https://www.carbonblack.com/). Carbon Black is an endpoint protection tool that should be installed on every network (at least if I had my way!). An analyst armed with Carbon Black can immediately access each endpoint on which it is installed and gather evidence ranging from the most volatile to the least. Not only does Carbon Black provide for evidence gathering, it doubles as an anti-virus and threat intelligence feed, which provides warnings to those tasked with protecting their network. If you aren’t using Carbon Black then you aren’t fully protecting your assets!
As you move past the process related items and into the memory portion of the order of volatility there are several tools that can help an analyst collect and preserve evidence. One of the most well known is Volatility. You can find Volatility at http://www.volatilityfoundation.org/#!24/c12wa. Volatility is a multi-platform memory analysis tool that is highly respected and extremely useful for deep memory analysis. There are many tools available for memory collection as well; one that I would highly recommend is FTK Imager (http://accessdata.com/product-download?/support/product-downloads). I recommend this tool because it is a highly versatile tool that can be used for more than just memory image capture. It has a GUI interface and is simple to use, which also makes it handy. Another tool that can be used for memory capture is Magnet Forensics “Magnet RAM Capture.” It can be found at https://www.magnetforensics.com/computer-forensics/acquiring-memory-with-magnet-ram-capture/. This is another GUI tool that can be run from a USB drive or the local machine.
If you have operating systems other than Windows in your network then you should explore other options for memory capture and tools other than Sys Internals. Linux and Apple operating systems require unique toolsets that are not supported by Windows. Since this blog post is primarily focused on Windows and the tools associated with that OS for incident response we will not delve into the other OS varieties here and now.
One of the most often overlooked sources of evidence is the actual network traffic. In the best case scenario, the victim organization has implemented a SIEM or log monitoring service, like those provided by NTT Security, and they have visibility to at least some of the network traffic to and from the infection point. This can enable the investigator to see the actual traffic that may have occurred leading up to the incident and speeding up the process of understanding what actually happened.
But sadly, in the real world when we ask for a packet capture from an event, we are routinely informed that the victim does not have it. Why? Because capturing network traffic is a storage intensive routine that many find cost prohibitive, yet they neglect to factor in the savings if a network capture is available and shortens the investigative time. There is often value in capturing the network traffic even if it is after-the-fact and there are many tools that can help with this process, one of which is Wireshark. Wireshark is a well-known and trusted tool that allows an analysts not only to conduct the packet capture but also provides many ways to analyze the capture. Wireshark can be found at https://www.wireshark.org/.
Another tool that I can’t praise enough is Packet Sled (https://packetsled.com/). Packet Sled provides what is termed “next generation” threat detection and network forensics. We have had the opportunity to utilize Packet Sled on several incident response efforts and found that it is extremely useful and provides analysts with the ability to instantly view the network activity, spot threats and stop them. How could you pass up on this as a tool in your bag?
Moving up the volatility ladder we come next to the disks themselves. This involves the operating system files and the wide variety of items that might be associated with the systems being examined. Since digital forensics actually started with these it usually more common for responders to know how to deal with them. A few rules have changed since the early days but mostly the tools utilized to collect and examine these systems have a long history and are both free and for purchase.
First up are the free tools! One of my favorites is Autopsy/Sleuthkit, to be found at http://www.sleuthkit.org/. This is an open source forensic tool that works on nearly every operating system out there. It comes in both a GUI and command line formats so it is useful for both the beginner and the advanced forensicator!. I have used Sleuthkit for Apple systems, Windows and Linux and found it to be comparable to EnCase and FTK (to be covered shortly!). If you are searching for a useful and versatile FREE tool then Autopsy/Sleuthkit is your choice!
Next up are two pay to use forensic software suites, EnCase and FTK, to be found respectively at https://www.guidancesoftware.com/ and http://accessdata.com/. These tools are high end and priced accordingly. Both are strong forensic suites that handle a wide variety of operating systems. Each possesses it’s own strengths and weaknesses and have their proponents in the forensic field. These tools are fairly pricey; usefulness comes with a price after all! If you have the money to invest, however, these tools can do a lot of work for your analysts and allow more time to investigate incidents. One of their strengths is that they automate a large portion of the work and provide your analyst with the ability to start a case processing in the tool and move on to other response efforts while the tool does the work. Now, this does not mean that automation is always good, but in some cases it does serve a useful purpose.
If you are a bit confused after reading about all of these tools and the order of volatility I will provide you with a chart for quick reference:
I would be depriving you of another tool, one that combines several of the above-mentioned tools into one handy platform, SANS Investigative Forensic Toolkit (SIFT). You can find SIFT at http://digital-forensics.sans.org/community/downloads/. SIFT is free, provided by Rob Lee, and the staff at SANS for digital forensicators. The SIFT is a handy all in one toolkit that allows your analysts to conduct an entire forensic/incident response analysis utilizing free tools. It handles a wide variety of operating systems, partition tables and image formats (refer to the web site above for complete details). The learning curve can be steep, requiring your analysts to be familiar with command line utilization and Linux operating systems, since the SIFT is built upon the Ubuntu 14.04 OS. This is a handy tool to have in your incident response arsenal, one you can’t afford to ignore.
If you are tasked with handling the investigation of suspicious events and/or incident response with your company, then hopefully this blog will have presented you with some tools to increase your ability to successfully investigate these events. Take advantage of the many online resources available to you and your IR team. Do not rely on thinking you are prepared, when in fact you are trusting in a false presupposition. The world of incident response is intricate and involves not only artifact gathering and interpretation, but also admissibility of the evidence into court, possible testimony and other legal issues. Please feel free to pass this on to anyone who works in incident response, is interested in incident response or is part of an incident response team. Learn, grow and prosper!