All too often an interesting item is discovered on a system and everyone wants to know if the item exists on any other system. This could be a daunting task but this can be accomplished using PowerShell. With the location and name of the file in hand, the following can
Forensics
Finding Services Tied to Processes
When looking at a process list, you will undoubtedly see a number of svchost processes. The overall number of them really depends on the system and what services are running. Each svchost has at least one service running within it. If you are seeking a better understanding of which service
Fileless Malware Storage: Group Policy Objects- 4 of 4
Up to this point, we’ve discussed using the Registry, Active Directory, and Event Logs for storing stagers in Windows. In our last installment of this series, we will discuss the use of Group Policy Objects to achieve the same goal. Group Policy is designed to be a hierarchal infrastructure to
Fileless Malware Storage: Event Logs– 3 of 4
Up to this point, we’ve touched on using Active Directory and the Registry to store code for later use. To add on to the topic, we can also use Event Logs. The effectiveness of this technique is based on the environment in which one looks to use it. I say
Fileless Malware Storage: Active Directory– 2 of 4
In my last post, I spoke on the use of the Registry to store malicious code to call upon at a later time. In this post, I’ll discuss using Active Directory to store code. Essentially, Active Directory is a hierarchical structure that stores information about objects on the network, particularly
Fileless Malware Storage: Registry – 1 of 4
Malware delivery methods have changed over the years and in some cases, repeated themselves. Within the last couple of years, fileless malware has become prevalent and more widely seen. How this malware is stored on disk varies. Frankly speaking, anywhere that can store data, be it hex or ascii, serves
Hidden Gems in McAfee ePO Audit Logs
There is no shortage of organizations these days running McAfee’s ePolicy Orchestrator in an effort to combat maliciousness. Much like any endpoint security platform, it has its strengths and weaknesses. One of the great features of the application is that it contains an audit log containing authentication information to include
Finding Reflective DLL Injections
DLL injections that originate from a malicious DLL written to a disk are commonly detected by any decent AV product. Detecting reflective DLL injection, however, are not as straightforward. Malware injected directly into a process using reflective DLL injection typically will not exist on disk. A co-worker of mine developed
Hunting Self-signed Certificates
Self-signed certificates could be indicative of malicious behavior on a system and being able to identify them is a key task in responding to an incident. Having self-signed certificates in an environment isn’t always a bad thing but not being able to identify them and their purpose is! Nonetheless, taking
Hashes of All Running Processes
A great starting point for anyone analyzing a system is the running processes. Taking the time to not only retrieve the command line execution of the process but also the parent process will enable you to find outliers. Taking it a step further, retrieving the hashes of the binary of
Determining WinRM connections to a Machine
PSRemoting is an awesome feature in Microsoft Windows that serves as a ssh-like function. In Server 2012 and newer, it is enabled by default. You will, however, need to enable the feature on any client system you’d want to use it on. Some organizations feel having the service enabled throughout
Getting hashes with Microsoft’s File Checksum Integrity Verifier (FCIV)
Are you responding to an incident? Are you trying to hash particular portions of the disk for comparison with a known good hashes? Are you questioning whether or not to trust the binaries on the possibly compromised system disk in order to get said hashes? Well have no fear, Microsoft
Parsing Registry files with RegRipper
The registry of a system contains a lot of good data that can be used forensic analysis. Parsing that data from dead box forensics (bit image) using RegRipper (rip.pl) will provide you with a lot of useful information. RegRipper is an automated HIVE parser that can parse the forensic contents
Analyzing Various Memory Capture Formats
In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference. FTK Imager – Outputs to .mem – Can be analyzed in Volatility Vol.py –f –profile= VMWare (.vmem) – .vmem and .vmsm
Extracting Data with Bulk Extractor
When it comes to forensics, styles and methodologies may vary from person to person (or organization). Some methods take longer than others and results may vary. One tool/ technique that I lean to time and time again is using Bulk Extractor. Bulk Extractor is a program that enables you to
Analyzing Memory in the Wonderful World of Redline
Redline is one of a few memory capture/analyzer programs that I keep in my toolkit. How it works is that the software needs to only be installed on the system that you will be analyzing the data on and from there, you would configure the options you want to include
Search Exchange 2010 Mailboxes
NOTE: The user you run the script with must have the “Discovery Management” RBAC Role. This script will search all mailboxes for email with attachments named “document1” and “document2” regardless of the file extension. The script will then copy the email message to the “admin.mailbox” mailbox in a folder called
Detecting Alternate Data Streams with PowerShell and DOS
Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is
Bare Monkey (Volatility)
I’ve been working on Bare Monkey for a few months now. Bare Monkey inputs a Windows memory capture and runs it against all Volatility plugins and outputs them to a text file. Afterwards, it deletes the generated files that are empty and then compresses the files left. It also creates
Converting a DD image into a VM – pt. 2
This is part 2 of the tutorial to convert a DD image into a VM. The below instruction picks up from the position that one already got a DD image and has it unzipped and uncompressed. To finish the task, please read on. 1. Copy the target_image from your linux
Converting a DD image into a VM – pt. 1
A good buddy of mine introduced me to LiveView, which creates virtual machines from DD images. There were a number of other programs out there that can do the same thing but didn’t seem as smooth as LiveView is. One may be wondering why what is the need for
Skittle Grinder (Linux Log Collection)
Skittle Grinder is the de facto way of getting “kitchen sink” from a Linux system. It development stemmed from a gap we faced in the forensics realm but could be used for a base lining, auditing, or whatever you see fit. Skittle Grinder checks for rootkits, creates a tarball of
Memory Capture with FTK Imager
I previously wrote about using DumpIt for Windows memory captures. If all you need from a system is to capture memory, it fits the bill rather well. There have been some times where it’s given me some issue grabbing memory over 8GB. Nonetheless, what if you need to do more?
Wait, did something change? Don’t know, use Regshot
1. Download the program from http://sourceforge.net/projects/regshot/. 2. Right-click the program and run it as administrator. 3. The below screen should appear. From there we have the option of comparing logs in plain TXT or HTML. We can also choose folders to scan as well.
Parse and Extract PST and OST Mailboxes
Libpff is a powerful mail examination tool. The tool will allow you to examine and extract data without having to attach the PST to Outlook and has the ability to view emails that are encrypted. In my example below, I will be using the tool via the SANS SIFT workstation
Parsing Metadata with ExifTool
Its one thing to have a piece of data but its another thing to be able to get the metadata about said data. ExifTool (http://www.sno.phy.queensu.ca/~phil/exiftool/) is a tool that will allow just that. Its command line based but there is a GUI version as well called pyExifTool (https://hvdwolf.github.io/pyExifToolGUI/). The tool
Windows Memory Capture using DumpIt
One of the simplest tools for capturing memory from a Windows system is DumpIt. The program is very portable and saves the capture to wherever the program is ran from. Most people will run it from a flash drive but depending on your company’s security policy that may not be
Memory Capture via Hibernation File
If you are having a hard time getting a memory capture using commercial tools, have no fear, Microsoft to the rescue! Starting with Win2K, each version of Windows has supported OS hibernation. When you put a system into hibernation, it creates a hiberfil.sys file on the root of the filesystem
Determining what profile to use when analyzing Windows memory in Volatility
No need to guess or experiment with different profiles, let Volatility figure that out for you. In testing, this worked with all formats that Volatility supports. If you were the one to do the memory dump or if the file was labeled OS information, this wouldn’t be a concern or
Forensics Posters
Anybody getting into forensics knows its like putting on a pair of glasses and seeing things in a whole new light. Part of being able to identify bad or evil is being able to identify normal. In my opinion, SANS did a pretty good job depicting some common things to
Building a profile for Volatility
After capturing Linux memory using LiME (or your program of choice), we can analyze it using Volatility. In order to do so, you will need to build a profile for Volatility to use. The profile is based on the kernel/version of the system in which the memory capture was done
Linux Memory Capture with LiME
When doing forensics, grabbing a capture of the live memory is vital. There are a few different programs out there to accomplish the task but in my testing, I felt LiME was the best choice. It wasn’t intrusive at all on the system and was pretty straightforward. Once I compiled