3. Because attackers are now using memory-
resident malware and tools that leave no trace
on the disk, forensics experts must take a
different approach to their investigations.
-Christopher Novak
-Director, Verizon's global investigative response unit.
3
7. Detect
Assess
Inoculate
Or
Contain
Repeat
Once detected,
Assess process activity and objectives
Identify source of implant
Assess exposure and depth of
compromise
Review security tool logs – endpoint,
network, proxy, etc. for more co-
relation and understanding.
7
8. Based on depth of compromise choose to:
• Rebuild the system?
• Attempt to inoculate?
• Go for Disk Forensics?
8
Detect
Assess
Clean/Contain
Repeat
Containment
Disk
Forensics
9. Live Forensics is not a replacement for Disk
based forensics.
This is just different approach and add-on to
the traditional forensics.
Based on the depth of compromise one
should go for the different path from here.
Hypothetical Example is shown in the
flowchart.
Incident Assessment
Ransomware
No Critical
Machine/data
Involved
Confidence about
incident objectives
and depth of
compromise
Rebuild
Adware Detected
Confidence about
Incident Objectives
and depth of
compromise
Inoculate
Severe Infection
Required more
resources and
thorough Investigation
Full Fledge Disk Based
Forensics
False Positive
9
10. Inoculate
• Critical system would be difficult to easily reimage
• High business impact
• Confidence in ability to validate infection is handled
entirely (EDR or local forensics team validate system is
clean and validated against known good configuration)
• Were credentials disclosed? Can you be sure?
• Do we have to change credentials and invalidate
authentication tokens
10
12. Identification
Make this a table and add screenshots
Looking for processes that…
…have no icon
…have no metadata like description or company name
…unsigned Microsoft images
…live in Windows directory or user profile or Temp or Recycle Bin
…are packed
…include strange URLs in their strings
…have open TCP/IP endpoints
…host suspicious DLLs or services
…inappropriate parent-child relationship
…utilizes high system resources
-Mark Russinovich
OR
Your parents telling you they have been infected with virus because their
system is running slow!
-Me12
13. Review Active Network State
Network will tell us where is
machine communicating
Check
ProcessesProcesses provide insight into
depth of compromise and exposure
Check
PersistenceIdentity persistence techniques and
implant points of interest
Check Files
Files dropped/read provide insight
into actor TTPs and malware family
Network01
02
03
04 13
Process
Persistence
Files
14. Check Network
Check Network Connections
-unusual tcp/udp ports; unusual process/exe/dll
-blacklisted IP/domain
- netstat –naob -5
n-Numerical form; a-All connection and listening port;
o-Associated process ID; b-Executable involved in making
connection; 5- time interval for continually updated output at
every 5 seconds
Check Firewall Status
- netsh firewall show config
- netsh firewall show currentprofile
- netsh advfirewall firewall show rule name=all
Check File Shares
- net view 127.0.0.1
Check open Sessions
- net session, net use
Check NetBIOS over TCP/IP
- nbtstat –c; nbtstat –s
Routing and ARP Table and DNS
- route print; arp –a; ipconfig /displaydns 14
15. Check Process
Check Running Processes
- Check Names for typo
- Check loaded modules and services
- Check command line parameters
- Check parent child relationship
- tasklist /m /fi “pid”
- tasklist /svc /fi “image name”
- wmic process list brief
- wmic process get name,parentprocessid, processid,
commandline
- certutil –deocde <base64 encoded file> <Decoded Output File>
Check Strings for suspicious processes
Check Blacklisting
- certutil –hashfile <FILE PATH> SHA256
- check hash for known bad
15
16. Check
Persistence
Check Scheduled Jobs
- wmic job list
- SchTasks.exe /query | more
Check Autostart Extensibility Points, or ASEPs
- wmic startup list full
Check WMI Event Consumers
Check Services
- sc query | more
Check User Accounts and Groups
- net user
- net localgroup
- net localgroup “Remote Desktop Users”
- wmic useraccount list full /format:table
16
17. Check Files
Check Files Against IOC/Yara Rules
Check for typing mistakes in File Names, File Size, File Directory etc.
- forfiles /p %temp% /M *.dll /S /C "cmd /c echo @file @path @fdate @ftime“
- /P: path; /M: Search Mask, /S: Recursive search, /C: command to execute for
each file. We have searched for all the dlls inside the %temp% directory here.
Check Images without Signatures
Check Files in certain places like Recycle Bin, Temp, Current User Profile,
Program Data.
17
18. And many more things..
Clipboard
Get-Clipboard (PowerShell 5)
Command History
Doskey /hostory
Open Unsaved Files
Prefetch
ShimCache
AmCache
ADS
Event Logs
18
20. Reference
Basic of Windows Incident Response
https://jordanpotti.com/2017/01/20/basics-of-windows-
incident-response/
Windows Command Line Kung Fu with WMIC
https://isc.sans.edu/forums/diary/Windows+CommandLi
ne+Kung+Fu+with+WMIC/1229/
Intrusion Discovery Cheat Sheet for Windows
https://pen-testing.sans.org/retrieve/windows-cheat-
sheet.pdf
20
Check Audience. Who has infected with malware? Who is DFIR/Forensic person. Is anyone has been to SANS DFIR training? Any malware authors?
So why exactly Live Forensics? Is it because dead forensics dead?
Memory resident malware.
non-malware attacks – incidents that rely solely on legitimate system utilities or native tools
memory-only malware - malicious code is never saved to disk, perhaps because it was injected into another process
“fileless malware” - when bringing focus on persistence mechanisms that avoid placing traditional executables on the file system.
Imaging and processing takes a lot of time and required dedicated hardware as well.
You can take number of forensic images/bit-stream copies as much you have the hardware write blocker. While here you can collect data from 5000 machines in a go.
There is no de-facto standard for the live forensics comparing to disk based forensics but this what I can brodly summarize. Only thing is one has to follow thumb rules of forensics while performing investigation and there should not be much problem like always make sure of evidence integrity – hash everything, follow order of volatility, document everything etc.
This might look little bit complex but I want you to follow where I am trying to take this up and as we move towards end every dot will started to join.
Identification is on slide 11. Will start identification and detection steps in a flow.
Once identified/suspected something is unusual with the system we need to detect what exactly is wrong. So we will check processes, network state, asesps, and other potential artifacts available on system.
Now that we have detected processes/connections/files which are responsible for causing this problem, we need to assess the objective and how bad we are infected.
Here comes the trick,
Inoculate here means, validate the system is clean and validated against known good configuration.
Let us see one hypothetical example here,
net view \\127.0.0.1
net session
net use
nbtstat –S
netstat –naob
netstat –naob -5
netsh firewall show config
netsh firewall show currentprofile
netsh http show services
tasklist
tasklist /m /fi "pid eq [pid]“ – to load the modules related to particular process
tasklist /svc – to load the services related to modules
wmic process get name,parentprocessid, processid, commandline /format:csv > "C:\Users\windows-d0\Desktop\wmicprocess.csv“
Sort the data
SchTasks.exe /query | more
sc query | more
–HKLM\Software\Microsoft\Windows\CurrentVersion\Run
–HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
–HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
-200 aseps
net user
net localgroup
net localgroup "Remote Desktop Users"
doskey.exe /history
nc 127.0.0.1 portnumber
wmic process where processid=3140 get name,parentprocessid,processed
wmic process 6900 delete
echo bGludXggYmFzZTY0IGRlY29kZQo= | base64 -d