Forensic Ramblings

First, thanks very much to David (@DCSecuritydk) for allowing me to ramble about forensics here on Security Distractions.

My name is Mitch; my first IR was ILOVEYOU in 1999 and I have been a forensics dilettante since 2004. I am a digital dinosaur who is currently focusing on OT Security.

I have always been fascinated by what you can discover from performing forensics and really enjoy learning from other skilled forensic practitioners. Back in the day, I started out with a script from a book called “Windows Forensics and Incident Recovery” written by Harlan Carvey (@keydet89) https://windowsir.blogspot.com/

Harlan has consistently reminded us to think about what we were doing and not just push buttons expecting to find evil. Thanks for RegRipper https://github.com/keydet89/RegRipper3.0 and all the learnings over the years. I wish I was a better pupil…

The need for Windows deadbox forensics is still there, with focus having shifted to incident response (IR), with the need for speedy accurate triage. Also, the target audience expanded to include not only X86, but mobile forensics, Apple products, Android OS, cars, IoT devices, etc. Given the rise of data breeches and malware attacks, the need for IR is only increasing.

But the basics are the same – paraphrasing the experts:
1)critical thinking – there is no “find evil” button; you need to know what you are looking for BEFORE starting
2)using a documented, defensible, explainable process (expecting the case to go to court)
3)understanding your subjects (Windows, MAC, Android)
4)understanding the threat actors and their TTP’s
5)understanding your tools, their usage and limitations
6)a love of testing, documenting and sharing back to the forensics community
7)mastery of many related topics like Linux, bash shell scripting, Python, Operating Systems, applications and protocols, technology stacks.

A great place to start for some basic forensic training is here: https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material/technical-operational#network_forensics

I had a need to examine a memory dump a while back and I used Volatility https://www.volatilityfoundation.org/
– both versions 2.6 and 3. Depending on the memory sample and what you are looking for, you might prefer one to the other. I will provide some details in another article, if allowed back 🙂

There are many great sites out there on how to use Volatility, but I wanted to mention one lesser known site I found to be very useful, from Marcos (@_N4rr34n6) because it reinforces a need to understand what you are looking for and he shared his thoughts with a number of good examples on how to get there – using grep
https://unminioncurioso.blogspot.com/2019/03/dfir-first-steps-with-volatility.html

Another very useful tool for triage is Bulk Extractor, which also is an often overlooked tool. In the next link, Marcos also shows his command of egrep. You can not be a modern day forensicator with out knowledge of some basic Linux commands.
https://fwhibbit.es/en/who-is-mr-x-lets-find-out-it-with-bulkextractor-egrep-patterns-we-are-what-we-browser

Another essential item in the documentation process is hashing your evidence. Recently, at the SANS OSINT Feb 2020
Steven Harris @nixintel presented “Hash Or It Didn’t Happen” which can be found here https://www.sans.org/cyber-security-summit/archives/security-awareness (Yes you need to have a SANS account)

This is an excellent presentation showing Locard’s principle in action.

The www.nixintel.info also has an excellent OSINT resource site as well : https://start.me/p/rx6Qj8/nixintel-s-osint-resource-list

Finally, one great source of forensics images – DigitalCorpora, has been moved over to AWS and is so fast now :

https://digitalcorpora.org/news
https://downloads.digitalcorpora.org/corpora/

That’s it for me, for now. Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *