DFIR Cheatsheet
Wrap-up of a bunch of open source information about incident response and digital forensics.
📖 Overall methodology - Digital Forensics for IR
- RAM Memory acquisition (If the acquisition make sense)
- Check if machine has full disk encryption, if so LIVE image it before turning it off.
- Disk imaging
Due to wearing leveling when imaging SSD Drives always prefer to image the system LIVE. Nice intro paper on the subject can be found here (PT/BR) and here.
- FTK Imager
- gkape
- Arsenal Image Mounter
- dc3dd / dd
🔥 Quick Wins
Evidence of execution / opened files, check OS version for each indicator
:::info Most tools to analyze these artifacts used are from eric zimmerman github, thanks for the amazing tools and effort Eric! :::
- ShimCache =>
HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompatCache\AppCompatCache - AmCache (regripper) =>
\%SystemRoot%\AppCompat\Programs\Amcache.hve - Prefetch files =>
C:\Windows\Prefetch\*.pf - Jumplists =>
%HOME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*-ms - LNK files =>
%HOME%\AppData\Roaming\Microsoft\Windows\Recent Items\* -
Shellbags => %HOME%\AppData\Local\Microsoft\Windows\UsrClass.datHKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell - Registry (regripper) =>
C:\Windows\System32\config\{SAM,SOFTWARE,SYSTEM,SECURITY}- NTUser.dat in user profile folder
C:\users\malicious_user\ntuser.dat
- NTUser.dat in user profile folder
🔍Triaging
- Look for high entropy executable in file system (possible malware) with densityscout
densityscout -s cpl,exe,dll,ocx,sys,scr -p 0.1 -o results.txt c:\Windows\System32
- Grab memory image
- Grab hibernation file
- Grab page file
- Grab registry hives
- Grab event logs (evt/etvx)
- Grab the Master File Table ($MFT)
Memory acquisition on virtualised platforms
- VMWare = .vmem file
- MS Hyper-V = .bin file
- Parallels = .mem file
- VirtualBox = .sav file (partial)
🧱Mounting evidences
Mounting E01
ewfmount image.E01 /mnt/ewf_mount && mount -o ro,loop,show_sys_files,streams_interface=windows /mnt/ewf_mount/ewf1 /mnt/windows_mount
Umount the image:
umount /mnt/windows_mount && umount /mnt/ewf_moun
Mounting vmkd as read-only
$ mount /disk/disk.vmdk /path -o ro,loop
Mounting raw/dd
- List disk information
- Get start offset and multiply by sector size => 2048 * 512 = 1048576
$ sudo mount disk.raw /mnt/mountpoint -o ro,offset=1048576
Mounting vmdk
$ guestmount -a Joao\ Topete.vmdk -i --ro /mnt/leforense/joao-pc
Converting vmdk to raw
$ qemu-img convert -f vmdk Joao\ Topete.vmdk -O raw joao.raw
Retrieving $MFT from raw image
$ mmls image.raw
$ icat -o <offset, 2048> image-file.E01 0 > image.mft
# then generate timeline with analyzeMFT.py
$ analyzemft.py -f /path/to/mounted/windows/image/\$MFT -a -e -o analyzemft-results.csv
# Or generate with MFTEcmd
MFTECmd.exe -f "C\$MFT" --body "E:\timeline" --bodyf test.body --blf --bdl E:
mactime -z America/Sao_Paulo -y -d -b /test.body 2019-07-23..2019-08-07 > /test-filesystem-timeline.csv
Mounting volume shadow copy
Windows - mount the image image file using Arsenal Image Mounter
vssadmin list shadows /for=D:
# Then we just need to create a symbolic link and access it
mklink link created for C:\path\to\link <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{1|2|3|4}
# From raw image
vshadowmount /mnt/ewf_mount/ewf1 /mnt/vss & cd /mnt/vss && for i in vss* ; do mountwin $i /mnt/shadow_mount/$i ; done
# From mounted image
vshadowinfo /mnt/ewf_mount/ewf1
💾Registry Analysis
https://github.com/keydet89/RegRipper2.8
Full analysis
$ rip.pl </path/to/registry/hive/NTUUSER.DAT> -f ntuser > user.txt
$ rip.pl </path/to/registry/hive/SYSTEM> -f system > system.txt
$ rip.pl </path/to/registry/hive/SOFTWARE> -f software > software.txt
$ rip.pl </path/to/registry/hive/SECURITY> -f security > security.txt
Recent docs opened from user
$ rip.pl -r c:\Users\<username>\NTUSER.DAT -p recentdocs > rip-recent-docs-resultst.txt
Recent searches have been done from the Start menu
$ rip.pl -r c:\Users\<username>\NTUSER.DAT -p wordwheelquery > rip-recent-start-searches-resultst.txt
Searching for specific strings
RECmd.exe -f .\NTUSER.dat --sk Skype
RECmd.exe -f .\UsrClass.dat --sd Skype
Check for bad stuff in keys of auto start applications
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunonceHKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
📖Memory analysis methodology
Identify rogue processes
- Analyze processes
- Legitimate process?
- Name spelled right?
- Fits with system context?
- Full path
- Is the process executable in the usual place?
- Is it running from user or temp directories?
- Parent process
- Is it as expected?
- Command line
- Does it have the right switches?
- Start time
- Was it started at boot or something else?
- Did the process start close the time of a known incident?
- Security ID
- Does the SID make sense? Would a system process run with a user accounts’ SID?
- Analyzing process objects
- DLLs
- Handles
- Files and directories
- Look at occurrence of use. Malware files should, historically, be the least accessed files on the system
- Registry
- Events
- Files and directories
- Threads
- Sockets
- Network artifacts
- Suspicious ports
- out-of-the-ordinary ports
- listening ports (backdoors)
- Suspicious connections
- Anything connecting out
- Known bad-IPs
- Creation time matching an incident
- Suspicious processes
- Should this process have networking capabilities?
- Suspicious ports
- Detecting code injection
- Look for DLL injection and process hollowing
- Rootkit detection
- Not a big thing anymore, most AV does a good job at detecting this
- Hides in
- System service descriptor tables
- Interrupt descriptor tables
- Function import address tables
- I/O request packets
- Acquiring processes and drivers
- Submit for reverse engineering or AV analysis
- Review strings
- add to bad-words list
- You can export Volatility switches so you don’t have to set them all the time:
- export VOLATILITY_PROFILE=Win7SP1x64
- export VOLATILITY_LOCATION=file://image.img
- imagecopy can be used to convert crash dumps and hibernation files to raw memory
- Started applications for your timeline
- pslist
- psscan
- pstree
- Run dllist to see what DLLs were loaded as part of interesting processes
- Check handles and services
- Run connections, connscan, sockets, sockscan and netscan to see network connections
- malfind to find hidden and injected code
- ldrmodules to find unlinked DLLs
- psxview, driverscan, ssdt, ssdt_ex, apihooks, idt and driverirp to find rootkits
💽Volatility
Identification of profile
volatility -f /path/to/memory/dump.001 imageinfo
Network connections
volatility -f /path/to/memory/dump.001 --profile=<profile> netscan > netscan-results.txt
volatility -f /path/to/memory/dump.001 --profile=<profile> connections > connections-results.txt
volatility -f /path/to/memory/dump.001 --profile=<profile> connscan > connscan-results.txt
volatility -f /path/to/memory/dump.001 --profile=<profile> sockets > sockets-results.txt
volatility -f /path/to/memory/dump.001 --profile=<profile> sockscan > sockscan-results.txt
Extract cached files from memory
volatility -f /path/to/memory/dump.001 --profile=<profile> filescan > filescan-results.txt
# Look through the list of cached files for anything interesting, then run the following to extract it:
volatility -f /path/to/memory/dump.001 --profile=<profile> dumpfiles -n -r <filename> --dump-dir=./
Rogue processes
# Processes running
volatility -f /path/to/memory/dump.001 --profile=<profile> psscan
volatility -f /path/to/memory/dump.001 --profile=<profile> pstree
volatility -f /path/to/memory/dump.001 --profile=<profile> pstotal --cmd --output=dot --output-file=/path/pstotal-graph.dot && xdot pstotal.dot
volatility -f /path/to/memory/dump.001 --profile=<profile> malprocfind > malprocfind-results.txt && grep False malprocfind-results.txt
Loaded DLLs of processes
volatility -f /path/to/memory/dump.001 --profile=<profile> dlllist -p <pidofprocess> > dlllist-results.txt
Processes handles
volatility -f /path/to/memory/dump.001 --profile=<profile> handles -p <pidofprocess> > handles-results.txt
# Shows all the resources the process interacted with.
volatility -f /path/to/memory/dump.001 --profile=<profile> handles -p <pidofprocess> -t Key > handles-key-results.txt
# Shows all the registry keys the process interacted with.
volatility -f /path/to/memory/dump.001 --profile=<profile> handles -p <pidofprocess> -t File > handles-file-results.txt
Who started each process?
volatility -f /path/to/memory/dump.001 --profile=<profile> getsids -p <pidofprocess> > getsids-results.txt
### Hibernation file to memdump
A hibernation file is stored in C:\hiberfile.sys if you have hibernation enabled. It contains parts of the memory at the time of hibernation, depending on the version of Windows. Run this to covert it to a raw image for further processing with Volatility.
volatility -f /path/to/hiberfile.sys --profile=<profile> imagecopy -O /path/to/output/folder/hibermemory.ra
## Super timeline
Timeline of events + MFT entries
# First generate the plaso dump
log2timeline.py plaso.dump /path/to/drive/image.E01
psort.py -z "America/Sao_Paulo" -o L2tcsv /path/to/plaso.dump -w plaso.csv "date > 'yyyy-mm-dd hh:mm:ss' AND date < 'yyyy-mm-dd hh:mm:ss' "
# Using docker
sudo docker pull log2timeline/plaso
sudo docker run -v $(pwd):/data log2timeline/plaso log2timeline /data/plaso.dump /data/image.E01 # Supposing that the E01 file is in your current directory
sudo docker run -v $(pwd):/data log2timeline/plaso psort -z "America/Sao_Paulo" -o L2tcsv /data/evidence.plaso "date > 'yyyy-mm-dd hh:mm:ss' AND date < 'yyyy-mm-dd hh:mm:ss'" -w /data/evidence.csv
You can filter out some temporary internet files, as these tend to add a lot of noise. The suggested ones to exclude are:
- Temporary\ Internet \Files
- PrivacIE
- Content.IE5
- IETldCache
- ACPI
- MSIE\ Cache\ File
- THREAD
- \(\$FILE\_NAME \)
- DLL\ LOADTIME
You can store these in a whitelist file and then do negative grep to filter them out.
grep -a -v -i -f whitelist.txt /path/to/plaso.csv > supertimeline.csv
## Timeline with memory dump + disk
$ fls -m -p -r /path/to/image.E01 -i ewf > drive-image-timeline-bodyfile
$ volatility -f /path/to/image.001 --profile=<profile> timeliner --output=body --output-file=drive-image-timeline-timeliner.body
$ cat drive-image-timeline-timeliner.body >> drive-image-timeline-bodyfile
$ mactime -z America/Sao_Paulo -y -d -b drive-image-timeline-bodyfile <start time..end time in format yyy-mm-dd..yyyy-mm-dd> > drive-image-memory-timeline.csv
# This will give you a timeline with all the events in the given period.
## Windows event log
Location
≥ Windows 7/2012 ⇒ C:\Windows\System32\winevt\*.evtx
C:\Windows\System32\config\*.evt
Tools
- Event Log Explorer (evt/etvx)
Correcting UTC: View -> Time Correction -> Display UTC time
- evtxecmd (evtx only)
Event IDs
Remote Desktop - RDP - Source Security
- 4776 – Account logon with local authentication
- 4624 – Account logon with domain authentication
- Logon Type 10 is RDP interactive session
- 4625 - Failed account login attempt
- 4648 - Logon specifying alternate credentials - if NLA enabled on destination.
- Current logged-on
- User Name
- Alternate User
- Name Destination
- Host Name/IP
- Process Name
- 4688 - Process spawn
- Text search for psexec, mimikatz, powershell, wmic, IEX.
- 4778/4779 – RDP reconnects
- 5140 – Shares mounting
- 7045 – Service installation
Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx
- 1024 - Destination Host Name
- 1102 - Destination IP Address
Map Network Share (net.exe)
Source
Security.evtx
- 4648 – Logon specifying alternate credentials
- Current logged-on
- User Name
- Alternate User
- Name Destination
- Host Name/IP
- Process Name
Microsoft-Windows-SmbClient%4Security.evtx
- 31001 – Failed logon to destination
- Destination Host Name
- User Name for failed logon
- Reason code for failed destination logon (e.g. bad password)
Destination
Security.evtx
- 4624 - Logon Type 3
- Source IP/Logon
- User Name
- 4672
- Logon User
- Name Logon by user with administrative rights
- Requirement for accessing default shares such as C$ and ADMIN$
- 4776 – NTLM if authenticating to Local System
- Source Host Name/Logon User Name
Timeline of event files
# Single file
EvtxECmd.exe -f C:\Path\to\Security.evtx --csv C:\Path\to\directory\of\logs
# Directory containing events
EvtxECmd.exe -d C:\Path\to\events --csv C:\Path\to\directory\of\logs
Always change the timezone when visualizing the data from EvtxECmd.exe, default is UTC-0. In excel, create a new column and use this formula:
=A2 - (3/24) ⇒ Converting UTC-0 to UTC-3
## Plaso filters
Useful for collecting only useful information from an image
$ cat filter.txt
/[$]Recycle.Bin/.+
/Users/.+/NTUSER.DAT
/Users/.+/AppData/Local/Google/Chrome/.+/.+/.+
/Users/.+/AppData/Local/Google/Chrome/.+/.+/.+/.+
/Windows/System32/config/SOFTWARE
/Windows/System32/config/SYSTEM
/Windows/System32/config/SAM
/WIndows/System32/config/SECURITY
/Windows/System32/config/WinEvt/Logs/.+
/Windows/System32/WinEvt/Logs/.+
/[$]MFT
/[$]Extended/.+
/Windows/AppCompat/Programs/Amcache.hve
/Windows/Prefetch/.+
/Windows/System32/Tasks/.+
$ log2timeline --filter_file filter.txt --parsers triage image-plaso.dump </path/to/image.E01>
Browser history
Edge and Internet explorer:
C:\Users\username\AppData\Local\Packages\Microsoft.MicrosoftEdge_\AC\MicrosoftEdge\User\Default\FavoritesC:\Users\username\AppData\Local\Packages\Microsoft.MicrosoftEdge_\AC\MicrosoftEdge\User\Default\RecoveryC:\Users\username\AppData\Local\Packages\Microsoft.MicrosoftEdge_\AC\MicrosoftEdge\User\Default\DataStoreC:\Users\username\AppData\Local\Microsoft\Windows\WebCacheC:\Users\username\AppData\Local\Microsoft\Windows\HistoryC:\Users\username\AppData\Local\Microsoft\Internet Explorer\IECompatData\C:\Users\username\AppData\Local\Microsoft\Feeds Cache\C:\Users\username\AppData\Local\Microsoft\Windows\WebCache\C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\
Chrome
C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\History
Firefox
C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\
PCAP Analysis
NetworkMiner for statistics of DNS queries, long connections, amount of traffic of each IP. TODO
Malware analysis
OSINT lookup
https://www.virustotal.com/gui/home/search
https://totalhash.cymru.com https://metadefender.opswat.com/#!/ https://avcaesar.malware.lu/ https://malwr.com/ https://hybrid-analysis.com
Signature check
Beware! It sends the file to VT! Tool: https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck
sigcheck -c -e -u -h -v -vt filename.exe > sigcheck-results.csv
sigcheck -c -e -u -h -v -vt \path\to\folders\like\system32 > sigcheck-results.csv
Open the CSV in Excel and order by the VT detection column to see which files had VirusTotal trigger.
Data carving
Some tools
- scalpel / foremost
- photorec
Extract files from unallocated space/slack space
blkls <image.E01> > image.blklsThen run foremost as the data carving tool, to look for file structures eaders, footers, magic bytes etc) in the image you made with blkls:
foremost -q -b 4096 -o <output directory> -c /usr/local/etc/foremost.conf age.blkls
LCP - Check if account has password, found here
https://www.lcpsoft.com/en/index.html
Linux/Unix
TODO!
Volatility cheatsheet
📖 Incident Response Methodology
TODO!
Live response
Checking for security updates with MBSA scan
wmic qfe where hotfixid="KB958644" list full
# Remotely querying for hotfixes
wmic qfe where hotfixid="KB958644" list full /node:127.0.0.1 /user:admin /password:p@ssw0rd
DHCP
Default Location Windows 2003/2008/2012 => %windir%\System32\Dhcp
Enable DHCP logging
reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v tivityLogFlag /t REG_DWORD /d 1
DNS
Enable DNS logging
DNSCmd <DNS SERVER NAME> /config /logLevel 0x8100F331
Setup path log
DNSCmd <DNS SERVER NAME> /config /LogFilePath <PATH TO LOG FILE>
Set max size
DNSCmd <DNS SERVER NAME> /config /logfilemaxsize 0xffffffff
Powershell way (Requires RSAT)
Check if module is installed
Get-Module DNSServer –ListAvailable
Check whats is enabled
Get-DnsServerDiagnostics
Enable all diagnostic options except for LogFilePath
Set-DnsServerDiagnostics -All $True
Enable diagnostics for outgoing TCP responses for updates
Set-DnsServerDiagnostics -SendPackets $True -TcpPackets $True -Answers rue -Updates $True
Show usage
Get-Help Set-DnsServerDiagnostics
Show process running
# cmd
tasklist
# Using WMI
wmic process list full
Accounts avaliable
net user
net localgroup administrators
Users logged on
psloggedon \\computername
quser
Date of creation ⇒ new accounts
wmic useraccount get name,localaccount,installdate
# One approuch is check creation time of folder directory
dir /tc "C:\Documents and Settings\"
dir /tc "C:\Users\"
# /t = time
# /c = creation
# Other is looking at the events log file (Windows XP/2003)
cscript c:\windows\system32\eventquery.vbs /L security /FI "id eq 642"
# >= Windows 7
wevtutil qe security /f:text "/q:*[System[(EventID=4720)]]" | more
Show all ports allowed in the firewall
netsh firewall show portopening
Open sessions
net view \\127.0.0.1
net session
nbstat
netstat -nabo
Startup applications
wmic startup list full
Linux/Unix
Check for process running
ps -ef
ps aux
# Info about specific process, as ports and files associated
for i in $(pgrep processo-malicioso); do lsof -p $i; done
Searching for files
# Owned by root
find / -uid 0 -perm -4000 –print
# By size - greater than 10 mb
find / -size +10M –ls
# By time modification - between date A and B, ex: 10-10-2019 until 20-10-19
find / -newertime 'yyyy-mm-dd' ! -newertime 'yyyy-mm-dd'
Check for connections
netstat -tupan
# Listening ports
ss -lntp
# Live monitoring of ports
ss -ltnp | less -S
# Arp table
arp -a
Check for allowed firewall rules
iptables -t nat -nL
iptables -t mangle -nL
iptables -t filter -nL
iptables -t raw -nL
Scheduled jobs
# Current user
crontab -l
# User specific
sudo crontab -u id3s3c
Analysis of Competing Hypotheses (ACH)
Analysis to help validate a set of possible hypotheses for RCA (root cause analysis) after an incident.
- Create a list of hypotheses that are possible causes.
- Create a list of evidences gathered during the investigation.
- Create a matrix where the columns are the hypotheses and the rows are evidences.
- Evaluate line by line if the evidence is:
C- consistent,I- inconsistent orA- ambiguous if the hypotheses is true or false. - Delete/Hide evidence that is consistent with all hypotheses.
- Assess each evidences reliability (A-F) and credibility/truthness (1-6)
- Who or what was the source of this evidence?
- What access the source have?
- What is the source reliability?
- Is the information plausible?
- Rank the hypotheses in terms of least disconfirming evidence (rather than most supporting evidence )
- Least evidence against is more likely to be correct.
- Remote
- Very unlikely
- Unlikely
- Even chance
- Probably/likely
- Very likely
- Almost certainly
- Least evidence against is more likely to be correct.
| Reliability | Meaning |
|---|---|
A |
Completely reliable |
B |
Usually reliable |
C |
Fairly reliable |
D |
Not usually reliable |
E |
Unreliable |
F |
Reliability can’t be judge |
| Credibility | Meaning |
|---|---|
1 |
Confirmed by other sources |
2 |
Probably true |
3 |
Possibly true |
4 |
Not usually reliable |
5 |
Improbable |
6 |
Truth can’t be judge |
Wannacry Example - Who was responsible for the attack?
H1 - A sophisticated financially-motivated cybercriminal actor H2 - An unsophisticated financially-motivated cybercriminal actor H3 - A nation state or state-affiliated actor conducting a disruptive operation H4 - A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA)
| Evidence | H1 | H2 | H3 |
|---|---|---|---|
| C | C | I |
References https://www.youtube.com/watch?v=iuU_GI5WMpY https://isc.sans.edu/forums/diary/Analysis+of+Competing+Hypotheses+WCry+and+Lazarus+ACH+part+2/22470/ https://www.reliaquest.com/blog/wannacry-an-analysis-of-competing-hypotheses-part-ii/
Useful information
References
- https://blog.1234n6.com/2018/10/available-artifacts-evidence-of.html
- https://digital-rensics.sans.org/community/papers/gcfa/windows-logon-forensics_6928
- https://github.com/christophetd/hunting-ndmaps/blob/master/pdf/windows-basic-event-logs.pdf
- https://github.com/christophetd/hunting-ndmaps/blob/master/pdf/memory-hunting.pdf
- https://github.com/EricZimmerman
- https://www.sans.org/blog/finding-unknown-malware-with-densityscout
- https://digital-forensics.sans.org/media/DFPS_FOR508_v4.6_4-19.pdf
- https://www.sans.org/blog/help-improve-edd-encrypted-disk-detector/
- http://dragon-online.net/ (Firefox said that there is cryptominer running here, be aware)
- https://www.youtube.com/c/SANSDigitalForensics
- https://digital-forensics.sans.org/media/rekall-memory-forensics-eatsheet.pdf
- https://www.andreafortuna.org/2018/06/04/using-mft-anomalies-to-spot-spicious-files-in-forensic-analysis/
- https://www.sans.org/reading-room/whitepapers/incident/incident-ndlers-handbook-33901
- https://docs.microsoft.com/en-us/powershell/module/dnsserver/set-sserverdiagnostics?view=win10-ps
- https://www.securitynik.com/
SANS Posters - https://www.sans.org/security-resources/posters/dfir-find-evil/35/download - https://in-addr.nl/mirror/SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf -