DFIR Toolkit
Last updated
Last updated
Documentation for Digital Forensics and Incident Response Tools and Techniques
Incident Response
Network Analysis
Phishing Analysis
Systems Forensics
Security Information and Event Monitoring
Incident Response Lifecycle: Preparation -> Detection and Analysis -> Containment, Eradication, and Recovery -> Lessons Learned and Reporting
Phases
Preparation
Incident Response Plans Should Include the Following Sections:
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
Example Incident Response Plans
Create Incident Response Team and conduct training and create incident response run books
Create asset-inventories
Run risk assessments
Enact defensive measures, eg DMZ, NIDS/HIDS/NIPS, AV, Centralized Logging, EDR, Network Firewalls, Local Firewalls, WAFs, GPOs, NAC, web proxies, SPF/DKIM/DMARC, mark external emails, use email spam filters, DLP, sandboxing, attachment file restrictions, physical defenses, awareness training, phishing simulations, etc...
Detection and Analysis
Identify scanning, including:
Remote to Local Scanning (R2L): Search for HTTP connections of non standard ports
Remote to Local DoS/DDoS (L2R): search for anamolus traffic that differs from baselines
Local to Local Scanning (L2L): internal vulnerability scanners
Login Failures: search for windows event ID 4625
Containment
Perimeter containment
Block inbound traffic and outbound traffic.
IDS/IPS Filters to identify further malicious traffic and take automated actions, such as blocking active connections.
Web Application Firewall policies, to detect and take action against web attacks.
Null route DNS, to prevent DNS resolutions so internal hosts cannot find the IP address of a given domain name and establish a connection.
Network containment
Switch-based VLAN isolation, to restrict network access.
Router-based segment isolation, to restrict network access.
Port blocking, to prevent connections on specific ports.
IP or MAC Address blocking, to restrict network access.
Access Control Lists (ACLs), to provide rules that restrict what hosts on the network can and cannot do.
Endpoint containment
Disconnecting the infected system from any network connections (turning WiFi off, pulling ethernet cable).
Powering off the infected system.
Blocking rules in the local firewall.
Host intrusion prevention system (HIPS) actions, such as device isolation.
Eradication
Remove malicious artifacts
Reimage systems
Recovery
Identify root cause
Patch systems
Disable uneeded services
Update EDR, AV, IDPS, and SIEM rules
Share intelligence
Lessons Learned and Reporting
Post incident review meetings: what could be improved
Create report that should contain
Executive Summary
Incident Timeline
Incident Investigation
Appendix
Report considerations
Report Audience
Incident Investigation
Screenshots and Captions
Initial access 9 techniques:
Administrative feature of windows, WMI service used for local and remote access to SMB and the Remote Procedure Call Service (RPCS), MITRE provides specific identification of WMI
EG SSH, FTP, VPN
Obtaining valid accounts (eg via phishing)
Ways that adversaries will work to evade or disable security defenses such as antivirus, endpoint detection and response, logging, and human analysts
Impair defenses: disrupting operation of security tools (eg SIEM)
Disable of Modify Tools
Disable Windows Event Logging
HISTCONTROL (used to not log command history) which affects ~/.bash_history
Disable or Modify System Firewall
Indicator Blocking
Disable or Modify Cloud Firewall
Indicator removal:
Deleting bash history
Deleting files
Deleting raw log files
Timestomping
LSASS Memory: credentials stored in memory, eg using Mimikatz
Monitor lsass.exe in Windows
Use AuditD for Linux
/etc/passwd /etc/shadow: dumping /etc/passwd and /etc/shadow (only accessible by root) files for password cracking
Mitigations: account lockout policies, better passwords, MFA, log monitoring
Account discovery:
Local accounts: net user and net localgroup (windows), id and groups (MacOS), /etc/passwd using cat, string or head (Linux)
Domain accounts: net user /domain and net group domain (windows), dscacheutil -q group (MacOS), ldapsearch (linux)
Email and cloud accounts
Mitigations: disable the registry key to prevent administrator accounts from being enumerated, group policy can force this change network-wide
Network service discovery
File and directory discovery
Enumerating internal remote services, eg:
Remote Desktop Protocol (RDP)
SMB/Windows Admin Shares
Distributed Component Object Model
SSH
VNC
Windows Remote Management (WINRM)
Mitigating enumeration: use MFA, monitor timelines of logon activity
Internal spearphishing, eg using a script to email other users from a compromised systems emali client
Scan eamil/attachments for mitigation
Email collection
Audio capture
Screen capture
Data from local system
Mitigations: audit, encryption, MFA, monitor api calls releated to system audio, monitor unusual processes that access microphones, API calls taking screenshots
Data from local system mitigation: monitor for commands such as dir, find, tree, locate; monitor for excessive usage of commands in CMD and powershell related to exfiltration
Application layer using protocols like http, https, dns
Cobalt strike is an example of a C2 application
Mitigation: NIDS/NIPS, monitor network data flows
Web service: legit web services may be used for C2
Nonstandard ports: C2 typically uses ports that aren't associated with services
Mitigation: restrict proxies/firewall ports for outbound connections, packet inspection
Exfil Over C2 Channel
Mitigation: frequency analysis
Scheduled transfer
Mitigation: NIPS/NIDS
EG disrupting availability and intergrity
Account access removal:
Deleting or locking accounts
Password changes
Mitigation: windows log monitoring, baseline comparison
Defacement:
Delivering messaging,
Intimidation
Claiming credit for an intrusion
Mitigation: revert to latest backup, WAF to monitor websites, defend against SQL injection and cross site scripting
Data encryption (eg ransomware):
Mitigations: data backups, monitor specific command-line usages such as vssadmin, wbadmin, bcdedit
IP information
Windows: ipconfig /all
Linux: ip -aip r
Routing tables
Windows: route print
Linux: ip r list
Traceroute
Windows: tracert [URL]
Linux: traceroute [url] -p [port number]
DNS
Windows: nslookup [domain name]
Linux: dig [domain name]
Linux email DNS info: dig [domain name] mx
Linux get A record: dig [domain name] ANY +nocomments +noauthority +noadditional +nostats
Netstat
Windows and Linux current connections/listening ports: netstat -a
Windows current connections/ports/related executables: netstat -a -b
Windows and Linux statistics for all connections using TCP: netstat -s -p tcp -f
PING
Linux: sudo ping -v [target]
Linux ping summary: ping -c 5 -q [target]
Port Ranges
Well-known ports: 0 to 1023
Registered ports: 1024 to 49151
Private ports: 49152 to 65535
Common Ports:
FTP: 20, 21
SSH: 22
Telnet: 23
SMTP: 25
DNS: 53
DHCP: 67, 68
HTTP: 80
HTTPS: 443
Syslog (UDP): 514
RDP: 3389
-v
nmap -v [target]
Verbose output
-O
nmap -O [target]
OS detection
-sS
nmap -sS [target]
Fast scan
-sT
nmap -sT [target]
Half-scan, doesn't complete tcp handshake
-sU
nmap -sU [target]
Full scan, completeds tcp handshake
-sA
nmap -sA [target]
Firewall identification
-sV
nmap -sV [target]
Finds service on each responding port
Description: used to capture and analyze network traffic in the form of packet capture files
Usage
Basic Capture Filter Examples
Capture Filters
Limit traffic to and from IP address: host 192.168.1.1
All traffic on the subnet: net 192.168.0.0/24:
Packets sent to the specified host: dst host 192.168.1.1
Limit traffic to port 53 only: port 53
All traffic except DNS/ARP: port not 53 and not arp
Basic Display Filter Examples
Packets sent from one computer (ip.src) to another (ip.dst): ip.src==IP-address and ip.dst==IP-address
Show you all traffic on port 25 (typically SMTP): tcp.port eq 25
Only show ICMP traffic: icmp
All traffic except traffic from specified IP: ip.addr != IP_address
Traffic from src host using TCP 443, using TLC version 1.2: ip.src_host == 192.168.1.7 and tcp.port == 443 and ssl.record.version == 0x0303
Show specific HTTP method: http.request.method == "POST"
Search for a string within a frame: frame contains "string"
Search strings within packets: CTRL + F
Host Identification from DHCP traffic: ip.src==xxx.xxx.xxx && dhcp then search for Host Name in the DHCP Options of a DHCP request packet
Search for http redirection: http.reaspon.code==301 or search for the http.referer field
Search by port: tcp.port
More Advanced Searching
To follow a packet stream: Right Click -> Follow > TCP/UDP/SSL/HTTP Stream
To extract HTTP files from packets: File -> Export Objects -> HTTP -> Highlight File -> Save As
To extract FTP files from packets: filter FTP-DATA packets for export -> Right Click -> Follow > TCP Stream -> Show and save data as Raw
To extract files from streams: Follow TCP Stream -> Save stream as raw -> Analyze with exif-tools or change file extension
Example: frame contains 20210429_152157.jpg” -> Follow TCP Stream -> Save stream as raw -> then analyze with exif-tools or change file extension to view
To search for domain names: Statistics -> Search for IP
To identify hostnames from DHCP traffic: ip.src==xxx.xxx.xxx.xxx && dhcp -> search for Host Name in the DHCP Options of a DHCP request packet
To search for http redirction: http.response.code==301 or search for the http.referer field
Helpful Windows
Conversations
Protocol Hierarchy
Endpoints
Resources
Email Protocols
Simple Mail Transfer Protocol (SMTP): Port 25 by default, Port 587 for TLS
Post Office Protocol 3 (POP3): Port 110 by default, Port 995 for TLS
Internet Mail Access Protocol (IMAP): Port 143 by default, Port 993 for TLS
Email Security Measures
Sender Policy Framework (SPF): a type of DNS (TXT) record that can help prevent an email address from being forged by sending alerts
Domain Keys Identified Mail (DKIM): cryptographically verifies if an email has been sent by its trusted servers and wasn't tampered during transmission
Domain-based Message Authentication, Reporting and Conformance (DMARC): email authentication, policy and reporting protocol that specifies what happens upon SPF and DKIM failure
Types of Malicious Emails
Spam Recon Emails: identifying if email error codes are sent back
Social Engineering Recon Emails: attempting to get response
Tracking Pixel Recon Emails: see if the email has been viewed by an email client (track OS, email website, client, screen resolution, date/time of read, IP address)
Spam email
Links to credential harvesters, domains with typo squatting, shortened urls
Email Spoofing
From address may look legitimate but whois lookup of X-Originating-IP shows different organization
Reply-To address may be different than sender address
HTML styling
Common Email Artifacts
Sending Address
Subject Line
Recipient(s)
Date and Time
Sending Server IP
Reverse DNS of Sending Server IP
Reply-To (if present)
Links/a hrefs (IP and root domain of those links)
File Attachment name
File attachment SHA256 HASH
Common Malicious Email Attachment File Types
.exe (Executable)
.vbs (Visual Basic Script)
.js (JavaScript)
.iso (Optical Disk Image)
.bat (Windows Batch File)
.ps/.ps1 (PowerShell Scripts)
.htm/.html (Web Pages / Hypertext Markup Language)
Email anslysis resources
Standard Headers
From, showing the sender's email address
To, showing the recipient's email address
Date, showing the date when the email was sent.
Optional Headers
Received, showing various information about the intermediary servers and the date when the message was processed
Reply-To, showing a reply address
Delivered-To displays the recipient’s name and address, as well as other addresses present in the CC and BCC
From: IP address/other details about sender
subject showing the message's subject
message-ID, showing a unique identification for the message
message body, containing the message, separated from the header by a line break
Return-Path: return address in case of email failure
Content-Type field indicates whether the format of an email was HTML, TXT, or any other option
Received-SPF: sender verification
Authentication-Results: ID of authentication performing server
DKIM Signature: details of the sender, message, and the public key which is required to perform message authentication
Custom X-Headers
X-Received: non-standard headers added by some email providers
Header Lists/Guides
Digital Evidence Process: Identification -> Preservation -> Collection -> Analysis -> Reporting
Forms of Digital Evidence:
Digital Photographs
Logs
Documents
Messages
Files
Browser History
Databases
Backups
Disk Images
Video/audio files
Digital evidence handling tenants:
No altering of original evidence
Use write-blockers
Document the process
Order of Volatility: olatile data includes running memory or the Address Resolution Protocol (ARP) cache
Registers & Cache: CPU cache contents
Memory: RAM contents
Disk (HDD and SSD)
Remote Logging and Monitoring Data
Physical Configuration, Network Topology, Archival Media
Follow chain of custody by:
Using Evidence Integrity Hashing
Taking a Forensic Copy
Storing Digital Evidence securely
Using Chain of Custody Form
Windows
Right click file -> Properties -> Details
PowerShell: Get-ChildItem .\path-to-file.jpg | Format-List *
Linux
ls -lisap <file>
stat <file>
Linux
Get hash of text string: echo -n 'This is the text' | md5sum
Example: echo -n "This is the text" | md5sum
Get hash of file
sha256sum <file>
sha1sum <file>
md5sum <file>
Examples
sha256sum hashthis.jpg
sha256sum hashthis.jpg && sha1sum hashthis.jpg && md5sum hashthis.jpg
Windows
Get-FileHash -Algorithm <algorithm> .\file_path
Examples
Get-FileHash -Algorithm sha1 .\hashthis.jpg
get-filehash .\file.exe ; get-filehash -algorithm md5 .\file.exe ; get-filehash -algorithm sha1 .\file.exe
FAT16: File Allocation Table, uses a table to mark the position of the files; used by DOS and Windows 3.X; files can be lost of the FAT is lost/damaged
FAT32: FAT16 but with larger partitions for long filenames; uses 32 bits of data for identifying data clusters
FAT32 is compatable with many devices and is cross compatible with all modern operating systems since 1995
FAT32 disadvantages:
Only >4GB files
8TB max capacity
No data protection from power loss
No built in compression
No built in encryption
NTFS: Microsoft file system since Windows NT 3.1
Improved performance, reliability, security (ACLs) and disk space from FAT
Linux architecture for EXT3 and EXT4
User space: user space -> sends to system call -> requeast sent to kernel
Kernel space: operating system core -> provides requested resources to user space, manages io/memory/file management
Disk space: kernal space device driver io request -> hard disk
EXT3/EXT4
EXT3: default file system for many popular Linux distributions; uses journaling for resiliency
EXT4: maximum volume size of data supported by ext4 is 1exbibyte and file size is up to 16 tebibytes; uses extents which is a data storage area that reduces file fragmentation and file scattering
FTK Imager can be used to show file types of disk images
Pagefile.sys: used within Windows operating systems to store data from the RAM when it becomes full
Pagefile Location: C:\pagefile.sys
To show the hidden pagefile: dir /a:h c:
Swapfile used as RAM swap space in Linux, usually in its own partition
To adjust swapfile size: sudo fallocate -l [file size] /swapfile
To check the ammount of swap space: free -h
To show if the swap space is a file or a partitionswapon –show
Hiberation file: allows operating system to store current memory state to hiberfil.sys
LNK file analysis: LNK files are used by the Windows OS to link one file to another
LNK files can be found at: C:\Users\$USER$\AppData\Roaming\Microsoft\Windows\Recent
Windows File Analyzer can analyze these LNK files
Prefetch files: useful information about programs including the name of the application, the path to the executable file, when the program was last run, and when the program was created/installed
Prefetch files are located at: C:\Windows\Prefetch
Prefetch Explorer Command Line (PECmd.exe) can be used to view these files
Jump list: jump lists enable identification of filetypes automaticDestination-ms and customDestination-ms which show application pinned to the taskbar
Located here: C:\Users\% USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and C:\Users\%USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\CustomDestinations
Browsers
Artifacts
Cookies
Favorites
Downloaded Files
URLs Visited
Searches
Cached Webpage
Cached Images
Tools for collecting artifacts
KAPE
Browser History Viewer
Browser History Capturer
Logon Events
Log artifacts
Event ID 4624 (Successful Logon)
ID 4672 (Special Logon): privileged user login
ID 4625 (Failed Logon)
ID 4634 (Logoff)
RDP usage: Type 3 logon
Artifact Location
C:\Windows\System32\winevt\Logs
Stored in the \Security folder
Directories to analyze for anamolous behavior
Recycle Bin
/tmp/
/Downloads
Artifacts obtained through CMD
Tasks: tasklist
Ouput tasks to txt: tasklist > tasklist.txt
All running processes and associated binary files: wmic process get description, executablepath
Users: net user
Users in administrators group: net localgroup administrators
All groups: net localgroup
Users in group: net localgroup GROUP_NAME
Services detailed information: sc query | more
Open ports: netstat -ab
Artifacts obtained through PowerShell
Network Information: Get-NetIPConfiguration or Get-NetIPAddress
Local users: Get-LocalUser
Information about local user: Get-LocalUser -Name JohnDoe | select *
Identify running services on the system: Get-Service | Where Status -eq "Running" | Out-GridView
Identify priority value of processes: Get-Process | Format-Table View priority
Info of specifiy services: Get-Process -Id 'idhere' | Select * can also use -Name flag
Scheduled tasks: Get-ScheduledTask
Scheduled tasks in ready state: Get-ScheduledTask | Where State -eq "Ready"
Specific scheduled task: Get-ScheduledTask -TaskName 'NAME' | Select *
Artifacts from recycle bin
Location:
Windows 10: C:$Recycle.Bin
XP or older: C:\Recycler
To display hidden files: dir/a or Get-ChildItem -Hidden
Processes
To search for strings within an exe by using sysinternals strings: strings -a file_name.exe > strings_from_file.exe
Password Hashes
Passwd file: /etc/passwd file is used to keep track of every registered user that has access to a system
Shadow file: /etc/shadow file contains encrypted passwords as well as other information such as account or password expiration values
To show shadow file content: sudo cat /etc/shadow
Installed Software
Find installed software on Debian based systems by checking the status file: /var/lib/dpkg/status
Save all lines that contain package in /var/lib/dpkg/status to packages.txt: cat status | grep Package > packages.txt
System Logs
/var/log/auth.log: system authorizations, including user logins
/var/log/dpkg.log: packages installed or removed using the dpkg command
/var/log/btmp: failed login attempts
/var/log/cron: cron jobs
/var/log/secure: authentication and authorization privileges (eg related to SSH)
/var/log/faillog: failedf user logins
To search linux logs for a specific program/malware: /var/log$ grep -iRl {keyword}
Web Server Logs for Apache and Nginx
var/log/apache2/access.log: shows web server info in Apache, including:
Client IP
Resource accessed
HTTP method
User-Agent of client IP
Request timestamps
User Files
Bash History
cd ~
ls -a
cat .bash_history
history can also be used, but history -c can be used to delete terminal history
Clear Files
Desktop, Downloads, Music, Pictures, Public, Templates, Videos
Trash Bin
Super user startup scripts: /etc/rc.local
To show listening network connections: netstat -tulnp
Description: tool for dumping memory to a .mem file, taking disk images, exporting files from disk images, generating MD5/SHA1 hashes for evidence, provides read only view of contents of disk image
Usage
To capture memory and save it to a .mem file: File -> Capture Memory
To create a .img file : File -> Create Disk Image
To inspect a disk image file: Add Evidence -> Image File
Resources
Description: used to get file metadata, can be used to extract strings from metadata
Linux Installation: sudo apt-get install exiftool
Usage
To retrieve file metadata: exiftool <filename>
To embed "sneaky!" into dpg.jpg: exiftool -Comment="sneaky!" dog.jpg -> this creates file with embedded text called dog.jpg_original
Resources
Description: used to retrieve deleted files from .img files by using file carving
Linux installation: sudo apt-get install scalpel
Usage
Edit scalpel.conf to uncomment the type of files hoping to get from an .img file by doing one of the following
Manually edit the file by using the GUI to navigate to: /etc/scalpel/scalpel.conf and uncomment relevent file types
Use vim or nano sudo nano /etc/scalpel/scalpel.conf and uncomment relevent file types
Create a copy of the /etc/scalpel/scalpel.conf, uncomment relevent file types, and then specify that file when using scalpel by using: scalpel -c /path/to/new/conf.conf
Create an empty output directory
Run command: scalpel -b -o /empty/output/directory DiskImage.img
Example: scalpel -b -o /root/Desktop/ScalpelOutput DiskImage1.img
Note: scalpel can be configured to search for document types with custom headers and footers by editing the configuration file:
Example for files with "BTL1" header and "1LTB" footer: create a new line on the .conf file with txt y 10000 BTL1 1LTB
To show strings from a recovered file: strings path\to\txt
Resources
[https://linux.die.net/man/1/scalpel](Scalpel Man Page)
Description: triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes, also provides browser forensic artifacts
Usage: Run gkape.exe for the GUI tool -> Select Target Source -> Select Output Directory -> Select Targets (eg Chrome)
Resources
Description: decodes and analyzes useful Windows OS files (eg LNK Files) for forensic analysis
Usage: File -> Analyze shortcut
Resources
Description: used to fetch all possible forensic artifacts from a Windows prefetch file, which can be used to investigate applciations executed on a system
Usage:
On single file: PECmd.exe -f "C:\tmp\calc.exe-asdfasd.pf"
On directory: PECmd.exe -d "C:\tmp\pfdirectory\"
To run a string match in a directory: PECmd.exe -k “plaguerat.ps1” -d "C:\Users\BTLOTest\Desktop\Windows Investigation One\Prefetch\"
Example: PECmd.exe -k “plaguerat.ps1” -d "C:\Users\BTLOTest\Desktop\Windows Investigation One\Prefetch\"
Resources
Description: used to analyze LNK files to identify application information related to a user's profile
Usage: File -> Load Jump Lists
JumpList files are located here:
C:\Users\% USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\%USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\CustomDestinations
Resources
Description: can be used in conjunction with Browser History Viewer to obtain browser artifacts
Usage: select user profile -> select browsers -> select data -> select output directory -> capture -> use Browser History Viewer to analyze
Description: used to retrieve browser information
Usage: File -> Load History from output directory of Browser History Capture
Description: used to crack password hashes, including passwords from the passwd and shadow files in Linux
Installation: sudo apt-get install john
Usage
Obtain Linux password hashes from shadow file: cat /etc/shadow
To combine passwd and shadow files: unshadow passwd shadow > HashFile
To run using HashFile as input and rockyou.txt as word list with both files in current directory: john HashFile --wordlist=rockyou.txt
Resources
Description: used to hide and retrieve files, files can be easily hidden using steganography by running something like cat Dog.jpg secretmessage.zip > Dog2.jpg which hides the zip inside the jpg file
Installation: sudo apt-get install steghide
Usage
To hide secretmessage.txt inside dog.jpg: steghide embed -cf dog.jpg -ef secretmessage.txt
embed: specifies operation
-cf dog.jpg: cover file using dog.jpg
-ef secretmessage.txt: embedded file using secretmessage.txt
To extract hidden file: steghide extract -sf dog.jpg
extract: specifies operation
-sf dog.jpg: steganogrphy flag to specify file with potentially hidden data
Resources
Description: used for memory forensics and has the following capabilities:
List all processes that were running
List active and closed network connections
View internet history (IE)
Identify files on the system and retrieve them from the memory dump
Read the contents of notepad documents
Retrieve commands entered into the Windows Command Prompt (CMD)
Scan for the presence of malware using YARA rules
Retrieve screenshots and clipboard contents
Retrieve hashed passwords
Retrieve SSL keys and certificates
Find executables/commands related to processes
Export processes
Installation:
Extract archive and run setup.py
Can be cloned from repo by using: git clone https://github.com/volatilityfoundation/volatility.git
On Linux, extract archive and run: sudo python setup.py install
Usage
Create Profile
Run volatility on memory dump: volatility -f memdump.mem imageinfo
Any other commands need to include profile: --profile=WinXPSP2x86
Volatility Commands
volatility -f memdump.mem imageinfo: take memory image “memdump.mem” and determine the suggested profile (OS version and architecture) for analysis
volatility -f memdump.mem --profile=PROFILE pslist: use pslist plugin to print a list of processes to the terminal
volatility -f memdump.mem --profile=PROFILE pstree: use pstree plugin to print a process tree to the terminal
volatility -f memdump.mem --profile=PROFILE psscan: use psscan plugin to print all available processes,
volatility -f memdump.mem --profile=PROFILE psxview: use psxview plugin to print expected and hidden processes
volatility -f memdump.mem --profile=PROFILE netscan: use netscan plugin to identify any active or closed network connections
volatility -f memdump.mem --profile=PROFILE timeliner: use timeliner plugin to create a timeline of events from the memory image
volatility -f memdump.mem --profile=PROFILE iehistory: use iehistory plugin to pull internet browsing history
volatility -f memdump.mem --profile=PROFILE filescan: use filescan plugin to identify any files on the system from the memory image
volatility -f memdump.mem --profile=PROFILE dumpfiles -n --dump-dir=./: use dumpfiles plugin to retrieve files from the memory image, outputs files to current directory
volatility -f memdump.mem --profile=PROFILE procdump -n --dump-dir=./: use procdump plugin to dump process executables from the memory image, outputs to current directory
volatility -f memdump.mem --profile=PROFILE hashdump: extract and decrypt cached domain credentials stored in the registry
Volatility Examples
python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem imageinfo: identify memory sample information like system architecture
python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe”: find processes using volatility and pipe output into grep to search for lines containing "svchost.exe"
python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 pslist | grep “svchost.exe” | wc -l: outputs wordcount of number of ""svchost.exe" services identified by volatility
python vol.py -f /home/ubuntu/Desktop/Volatility\ memdump1.mem --profile=Win7SP1x64 dlllist -p 2352: find command line arguments used by process 2352
python vol.py -f /home/ubuntu/Desktop/Volatility\ Exercise/memdump2.mem --profile=Win7SP1x64 procdump -p 2940 --dump-dir /path/to/output/directory: dumps the executable for process 2940 to current directory
python vol.py -f mem_file.raw --profile=SuggestProfile pstree | grep "powershell\|cmd"
Resources
Description: comprehensive forensics tool that has the following capabilities:
Keyword Search
Timeline Analysis
LNK File Analysis
Email Analysis
File Type Sorting
Media Playback
Thumbnail viewer
Robust File System Analysis
Hash Set Filtering
Unicode string extraction
File type detection
Interesting files module
Android support
Usage: open Autopsy -> Select Data Source -> Choose modules -> Analyze results
Resources
Description: identifying specific files by looking at the characteristics of a large number of files to see if any of them match the profile
Installation
Install dependencies: sudo apt-get install automake libtool make gcc pkg-config
Install YARA: tar -zxf yara-4.0.2.tar.gz -> cd yara-4.0.2/ -> ./bootstrap.sh
Compile YARA: ./configure -> make -> sudo make install
Confirm Installation: sudo make install
Usage
Run rule file against a target: yara [OPTIONS] RULES_FILE TARGET
YARA Flags
-m: Prints the associated meta information to the terminal after a YARA scan.
-s: Prints the matching strings to the terminal after a YARA scan.
-r: Recursively scan all subfolders within the target location to ensure everything is scanned.
Installation
YarGen: tar -zxf yarGen-0.18.0.tar.gz
sudo apt-get install python-pip
sudo pip install pefile cd
sudo pip install scandir lxml naiveBayesClassifier
python yarGen.py --update
python yarGen.py --help
Usage
python yarGen.py -m /root/Desktop/Malware -o ./TestRule.yara
python yarGen.py: Runs the yarGen python script
-m /root/Desktop/Malware: Create rules for files inside the Malware folder
-o ./TestRule.yara: Output the generated rule to the current folder
cat TestRule.yara: read rules
Resources:
Description: critical log review checklist developed by Dr. Anton Chuvakin and Lenny Zeltser
General Approach
Identify which log sources and automated tools
Copy log records to a single location
Minimize “noise” by removing routine, repetitive log entries
Determine whether you can rely on logs' time stamps; consider time zone differences (data normalization)
Focus on recent changes, failures, errors, status changes, access and administration events, and other unusual events
Go backwards in time from now to reconstruct actions after and before the incident
Correlate activities across different logs
Develop theories about what occurred; explore logs to confirm or disprove
Security Log Sources
Server and workstation operating system logs
Application logs (e.g., web server, database server)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
Outbound proxy logs and end-user application logs
Remember to consider other, non-log sources for security events
Typical Log Locations
Linux OS and core applications: /var/log
Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats
Resouces
Description: Windows event IDs that help in log analysis. Most events are in the Security log, many only logged on Domain Controller
“Windows Event logs” or “Event Logs” are files in binary format (with .evtx extension), stored here:
Windows 2000 to WinXP/Windows Server 2003: %WinDir%\system32\Config*.evt
Windows Server 2008 to 2019, and Windows Vista to Win10: %WinDir%\system32\WinEVT\Logs*.evtx
Event Log Categories
Application: Events logged by an application (Execution, Deployment error, etc.)
System: Events logged by the Operating System (Device loading, startup errors, etc.)
Security: Events that are relevant to the security of the system (Logins and logouts, file deletion, granting of administration permissions, etc.)
Directory Service: This is a record available only to Domain Controllers, it stores Active Directory (AD) events
DNS Server: It is a record available only to DNS servers; logs of DNS service are stored
File Replication Service: Is a record available only for Domain Controllers, it stores Domain Controller Replication events
Events
User logon/logoff
Successful logon: 528, 540, 4624, 5379
Failed logon: 529-537, 539, 4625
Logoff: 538, 551, 4672, 4634, 4647
Special Logon: 4672
Logon attempt with explicit credentials: 4648
Replay attack detected: 4649
User account changes
Created 624, 4720
Enabled 626
Changed 642
Disabled 629
Deleted 630. 4726
Memeber added to security enabled group: 4732
Password changes
To self: 628
To others: 627
Password reset: 4724
File access events
A handle to an object was requested with intent to delete: 4659
A handle to an object was requested: 4656
The handle to an object was closed: 4658
An object was deleted: 4660
An attempt was made to access an object: 4663
The state of a transaction has changed: 4685
The state of a transaction has changed: 4985
Anamolous events
Service started or stopped: 7035, 7036
Object access denied (if auditing enabled): 560, 567
High number of deleted files: 4663
Changes to user rights assignments: 4704, 4717
Altered Audit and Account policies: 4719, 4739
Security log cleared: 1102
Reboot: 1074
SIDs filtered: 4675
New domain trust: 4706
Resources
Description: keywords to search for in linux logs for log analysis
Usage: sudo grep -r "search_keyword" /var/log *
Search Keywords
Successful User Login
“Accepted password”, “Accepted publickey”, "session opened”
Failed User Login
“authentication failure”, “failed password”
User added
"adduser" or "useradd"
User Logoff
“session closed”
User account change or deletion
“password changed”, “new user”, “delete user”
Sudo Actions
“sudo: … COMMAND=…”“FAILED su”
Service Failure
“failed” or “failure”
Resources
Description: list of items to consider for web server forensic analysis
What to scrutinize
Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
HTTP Error Codes
Error code 200 on files that are not yours
Failed user authentication: Error code 401, 403
Invalid request: Error code 400
Internal server error: Error code 500
Resources
Description: list of items to consider for network device forensic analysis
What to scrutinize
Look at both inbound and outbound activities.
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality:
Traffic allowed on firewall: “Built … connection”, “access-list … permitted”
Traffic blocked on firewall: “access-list … denied”, “deny inbound”, “Deny … by”
Bytes transferred (large files?): “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage: “limit … exceeded”, “CPU utilization”
Detected attack activity: “attack from”
User account changes: “user added”, “user deleted”, “User priv level changed”
Administrator access: “AAA user …”, “User … locked out”, “login failed”
Resources
Description: standard protocol used to convey event or system log notification messages to a designated server, known as a Syslog server
Syslog protocol can be enabled on most network devices
Uses UDP 514 by default, TCP 514 for more reliability, TCP 6514 for stricter security standards
Syslog messages made of three components:
Priority Value (PRI): consists of Facility Code and Severity Level tables
Header: contains identifying information, such as; Timestamp, Hostname, Application name, Message ID
Message: usually saved in a file in /var/log
Resources
Description: Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log
Usage: change to downloaded directory, run sysmon -i as admin in command prompt, sysmon logs sent to Windows Event Viewer
Resources
Description: SIEM with advanced functionality
Usage
Starting Splunk on Linux
If not a service: sudo /opt/splunk/bin/splunk start
If running as a service: sudo systemctl start Splunkd
Basic Search Queries
Search source IP field (src) and the IP address value 10.10.10.50: search src="10.10.10.50"
Search desttination IP field (dst): search dst="10.10.100.5"
Search source IP field (src) and destination IP field (dst) the IP address value 10.10.10.50: search src="10.10.10.50" OR dst="10.10.10.50"
Search source IP field (src) to any destination IP field (dst) on the 10.10.10.0/24: search src="10.10.10.73" dst="10.10.10.*"
Simple failed login failure search: search pass* AND fail*
Show executables denerated from process, in this case cmd.exe, from Sysmon logs: index="botsv1" earliest=0 Image="*\\cmd.exe" | stats values(CommandLine) by host
Search for newly created windows user: search eventID field for 4270 or "net user"
Search for windows user logins: search eventID field for 4624
To search for web scanners: index=index_name sourcetype=stream:http src_ip=xxx.xxx.xxx.xxx | stats count by src_headers | sort -count | head 3
Search for .exe: index=botsv1 sourcetype=stream:http dest_ip="xxx.xxx.xxx.xxx" *.exe
To display search results in reverse chronological order: | reverse
Resources
Search for credentials submitted to form:
To get metadata information on sourcetypes or other fields in an index:
List all values within a field (eg sourcetype or source):
Time of crypto mining on host (fss = mining start fes = mining stop)
Search for IAM key of account that generated most distinct errors:
To detect syn scanning:
Description: PowerShell Module for Threat Hunting via Windows Event Log
May have to bypass remote code executioin on system: Set-ExecutionPolicy Bypass -Scope CurrentUser
Usage
Process local Windows security event log (PowerShell must be run as Administrator): .\DeepBlue.ps1 or .\DeepBlue.ps1 -log security
Process local Windows system event log: .\DeepBlue.ps1 -log system
Process evtx File: .\DeepBlue.ps1 .\evtx\new-user-security.evtx
Process all logs and output to txt: ./DeepBlue.ps1 .\evtx\* > output.txt
Resources
Description: suite of tools for analyzing Windows systems
Usage
Process Monitor: check for suspicious or unknown processes, can be usaed with netstat to track malware
Rootkit Revealer: detect rootkits or malware
Resources
Description: collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations
Usage
Resources
Bulk Extractor
COFEE
Computer Aided Investigative Environment (CAINE)
Digital Forensics Framework
DumpZilla
Encase
MAGNET RAM Capture
Nagios
Redline
GitTools
Nuclei
TODO:
Install/try phishtool and all other tools
Install sift workstation
Install MISP
Create repository with windows tools and script for installing linux tools
MITRE ATT&CK Framework Stages:
MITRE ATT&CK Navigator:
Execution technique examples:
Persistence examples:
Privilege escalation examples:
Defense evasion:
Credential access:
Hashcat can be used to attack encrupted passwords using brute force:
Discovery:
Lateral movement:
Collection:
Command and control:
Exfiltration:
Impact:
Installation: download from
More Display Filters here:
Domain/IP Lookup:
Domain Registration Lookup:
URL Analysis:
Show root HTTP Response:
Reverse IP Lookup:
IP Geolocation:
URL Sandbox:
Track reported phishing data:
Virustotal Malware Analysis:
Talos Malware Analysis:
Hybrid Analysis Malware Analysis:
PowerShell Get-FileMetaData Function:
Use JumpList Explorer:
Reference:
Reference:
Installation: can be downloaded from
Windows Installation: download from
Installation: download from
Installation: download program at
Installation: download program at
Installation: can be downloaded from
Installation: download program from
Installation: download program from
Can be downloaded and installed from
Installation: can be downloaded from
On Linux: download tar file from
Write YARA Rules:
YarGen to automatically generate rules for files:
Installation: download from
Installation: download from
Advanced SPL Examples (more can be found at )
Installation: download from
Installation: download from
Also an online version available:
Installation: download from for installation on Ubuntu follow: