The digital world has borrowed terminology and principals form the kinetic world for decades. We’ve all heard of an upcoming cyber war using cyber bullets spawned from the digital pearl harbor. We have gangs, as well as cyber-gangs, or criminals, as well as cyber criminals. The reason there are so many comparisons is that there are a lot of parallels between the digital and physical world around us.
One of the most fascinating areas of information security to me is digital forensics and incident response, or DFIR. Understanding how an attack took place and piecing together the puzzle with the scattered pieces is a difficult challenge, especially when some or all of the pieces may be missing.
Years ago, a mentor of mine told me about Locard’s Exchange Principle. A criminal is always going to bring something to and leave something from a crime scene.
For the digital world, Locard’s principle is solid. An attacker coming in is going to introduce change and leave behind modified files, new services, audit logs and any number of evidence behind. Even the best attackers who clean their tracks are still going to leave some trace evidence behind.
The challenge for incident responders is to find those traces in order to piece together a picture of what might have happened on the systems they are investigating. While pulling memory from an endpoint and using a tool, such as Volatility, is comprehensive when doing analysis, gathering memory from multiple machines across an enterprise can become a lengthy and costly process.
Before doing costly incident response procedures such as memory analysis, you should first determine which systems might require that level of analysis. Doing live disk analysis of a system can help make that decision of which systems to take memory from. When doing a live disk analysis, however, you need to ensure that the endpoint is not tainted with the analysis tools used. Everything that is run on the endpoint needs to be documented to ensure that it isn’t categorized as an action taken by an adversary.
There are a few categories of data that can be valuable when performing a live disk analysis of an endpoint: file access, network artifacts, process execution, USB usage and user activity.
File access would include items such as recently viewed files, Windows Jump Lists, and the Windows Open Save MRU (Most Recently Used) items. These can give an indication as to what an adversary was searching for and what items they actually gained access to. For end user systems, Microsoft Office has trusted documents and document locations, which may be interesting to inspect.
Additionally, there are also recently opened documents and document locations, which can be used to help determine what the motives were for the attacker.
If you are doing full-scale incident response, you would use network traffic logs to determine the actual network activity. However, commands such as netstat can be valuable if you are able to catch the malware running on an endpoint. The “netstat -nao” command will list out network connections with their associated process ID.
Using that process ID, you can tie potential malicious activity to the process running on the endpoint. Was the attacker using custom malware or built-in tools such as PowerShell? From a command line, you can pull activity running processes with the process IDs.
If you aren’t able to catch malware running, the prefetch files can be used to determine evidence of files which are executed. The prefetch files are modified each time a process has been executed. Without real-time process monitoring with process IDs, the prefetch files are the next best thing to look at.
For many systems which are exposed to end users and the general public, USB usage can be a risky attack vector. Windows is nice enough to store information about every USB drive which has been inserted into a device. While you can see devices that are currently plugged in, the registry also stores information on the first time a device was plugged in, the last time it was plugged in and the last time it was removed.
Finally, user activity is something that will be of the utmost importance to analyze. Looking at file activity, process execution and network activity gives some clue as to what happened, looking at items such as the Word Wheel Queries or Outlook Temp Files can shed even more light.
All of the items here and more can be pulled using Tripwire Enterprise. There are Incident Response rules available on the Tripwire Customer Center now. You will need Tripwire Enterprise version 8.6.2 or higher, as these leverage the script output capture rule type. If you are concerned that there may be malicious activity on your endpoints, use these rules to gain additional insight into what is happening on the systems you are tasked with protecting.