Talk on Windows Live Forensics @ Null Bangalore January Meetup. About basics of live forensics on Windows hosts.

1. Windows Live Forensics
101
1

2. @whoami
Arpan Raval
Analyst @Optiv Inc
DFIR and Threat Hunting
Twitter @arpanrvl
2

3. Because attackers are now using memory-
resident malware and tools that leave no trace
on the disk, forensics experts must take a
different approach to their investigations.
-Christopher Novak
-Director, Verizon's global investigative response unit.
3

4. Problems
with
Disk Forensics
Time consuming
Specialized equipment
Large volumes of data to analyze
Modern malware getting more
lethal and evasive.
4

5. Detect
Assess
Inoculate
Or
Contain
Repeat
Live Forensics
Process Cycle
5

6. Detect
Assess
Inoculate
Or
Contain
Repeat
Once Identified review the following:
 Processes and files
 Active network State
 Points of persistence
6

7. Detect
Assess
Inoculate
Or
Contain
Repeat
Once detected,
 Assess process activity and objectives
 Identify source of implant
 Assess exposure and depth of
compromise
 Review security tool logs – endpoint,
network, proxy, etc. for more co-
relation and understanding.
7

8. Based on depth of compromise choose to:
• Rebuild the system?
• Attempt to inoculate?
• Go for Disk Forensics?
8
Detect
Assess
Clean/Contain
Repeat
Containment
Disk
Forensics

9.  Live Forensics is not a replacement for Disk
based forensics.
 This is just different approach and add-on to
the traditional forensics.
 Based on the depth of compromise one
should go for the different path from here.
 Hypothetical Example is shown in the
flowchart.
Incident Assessment
Ransomware
No Critical
Machine/data
Involved
Confidence about
incident objectives
and depth of
compromise
Rebuild
Adware Detected
Confidence about
Incident Objectives
and depth of
compromise
Inoculate
Severe Infection
Required more
resources and
thorough Investigation
Full Fledge Disk Based
Forensics
False Positive
9

10.  Inoculate
• Critical system would be difficult to easily reimage
• High business impact
• Confidence in ability to validate infection is handled
entirely (EDR or local forensics team validate system is
clean and validated against known good configuration)
• Were credentials disclosed? Can you be sure?
• Do we have to change credentials and invalidate
authentication tokens
10

11. Detect
Assess
Clean/Contain
Repeat
If one choose to Clean,
 Repeat the steps until system can be
confirmed to be clean
Containment
Disk
Forensics
11

12. Identification
Make this a table and add screenshots
Looking for processes that…
…have no icon
…have no metadata like description or company name
…unsigned Microsoft images
…live in Windows directory or user profile or Temp or Recycle Bin
…are packed
…include strange URLs in their strings
…have open TCP/IP endpoints
…host suspicious DLLs or services
…inappropriate parent-child relationship
…utilizes high system resources
-Mark Russinovich
OR
Your parents telling you they have been infected with virus because their
system is running slow!
-Me12

13. Review Active Network State
Network will tell us where is
machine communicating
Check
ProcessesProcesses provide insight into
depth of compromise and exposure
Check
PersistenceIdentity persistence techniques and
implant points of interest
Check Files
Files dropped/read provide insight
into actor TTPs and malware family
Network01
02
03
04 13
Process
Persistence
Files

14. Check Network
 Check Network Connections
-unusual tcp/udp ports; unusual process/exe/dll
-blacklisted IP/domain
- netstat –naob -5
n-Numerical form; a-All connection and listening port;
o-Associated process ID; b-Executable involved in making
connection; 5- time interval for continually updated output at
every 5 seconds
 Check Firewall Status
- netsh firewall show config
- netsh firewall show currentprofile
- netsh advfirewall firewall show rule name=all
 Check File Shares
- net view 127.0.0.1
 Check open Sessions
- net session, net use
 Check NetBIOS over TCP/IP
- nbtstat –c; nbtstat –s
 Routing and ARP Table and DNS
- route print; arp –a; ipconfig /displaydns 14

15. Check Process
 Check Running Processes
- Check Names for typo
- Check loaded modules and services
- Check command line parameters
- Check parent child relationship
- tasklist /m /fi “pid”
- tasklist /svc /fi “image name”
- wmic process list brief
- wmic process get name,parentprocessid, processid,
commandline
- certutil –deocde <base64 encoded file> <Decoded Output File>
 Check Strings for suspicious processes
 Check Blacklisting
- certutil –hashfile <FILE PATH> SHA256
- check hash for known bad
15

16. Check
Persistence
 Check Scheduled Jobs
- wmic job list
- SchTasks.exe /query | more
 Check Autostart Extensibility Points, or ASEPs
- wmic startup list full
 Check WMI Event Consumers
 Check Services
- sc query | more
 Check User Accounts and Groups
- net user
- net localgroup
- net localgroup “Remote Desktop Users”
- wmic useraccount list full /format:table
16

17. Check Files
 Check Files Against IOC/Yara Rules
 Check for typing mistakes in File Names, File Size, File Directory etc.
- forfiles /p %temp% /M *.dll /S /C "cmd /c echo @file @path @fdate @ftime“
- /P: path; /M: Search Mask, /S: Recursive search, /C: command to execute for
each file. We have searched for all the dlls inside the %temp% directory here.
 Check Images without Signatures
 Check Files in certain places like Recycle Bin, Temp, Current User Profile,
Program Data.
17

18. And many more things..
 Clipboard
 Get-Clipboard (PowerShell 5)
 Command History
 Doskey /hostory
 Open Unsaved Files
 Prefetch
 ShimCache
 AmCache
 ADS
 Event Logs
18

19. DEMO
19

20. Reference
 Basic of Windows Incident Response
https://jordanpotti.com/2017/01/20/basics-of-windows-
incident-response/
 Windows Command Line Kung Fu with WMIC
https://isc.sans.edu/forums/diary/Windows+CommandLi
ne+Kung+Fu+with+WMIC/1229/
 Intrusion Discovery Cheat Sheet for Windows
https://pen-testing.sans.org/retrieve/windows-cheat-
sheet.pdf
20

21. Thank You!
21