Slides for Jared Atkinson's talk at BSidesDC titled "**** it, Do It Live (PowerShell Digital Forensics)". The presentation was given on 17 October 2015
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
1. **** it, Do It Live!
(PowerShell Digital Forensics)
Jared Atkinson
Veris Group’s Adaptive Threat Division
2. Special Thanks
○This tool and presentation would not be possible
if it wasn’t for the help and phenomenal work
from these people:
□Matt Graeber (PowerShell Wizardry)
□Richard Russon (Linux-NTFS Project)
□Joachim Metz (Libyal Project)
□Jeff Bryner (NBDServer)
□Carlos Perez (PowerShell Binary Module)
□David Cowan (NTFS Triforce)
□Ange Albertini (Corkami)
□Phil Polstra (Linux Forensics)
□James Habben (NTFS Fixup Values)
3. @jaredcatkinson
○Jared Atkinson
□Hunt Capability Lead for Adaptive Threat Division
○ Leads the service line responsible for proactive detection
and response to advanced threats in Fortune 100
commercial environments
□2015 Black Hat Minesweeper Champion
□Moderator of the PowerShell.com “Security Forum”
□Developer of PowerForensics, Uproot IDS, and
WMIEventing
□Researcher of forensic artifact file formats
□History
○ U.S. Air Force Hunt (2011 - 2015)
○ GCFA, GCWN, GREM, etc.
6. Cyber Kill Chain
○F2T2EA
□Find, Fix, Target, Track, Engage, Assess
○Adapted from Lockheed Martin White Paper
○Any broken link will affect the entire chain
7. Prevention
○Prevailing Network Defense Concept for much
of the 90s and 2000s
○Goal of stopping attacks at the perimeter
□ Glory years of “Server Side Exploits”
○Largely failed due to rise in the popularity of
“Client Side”attacks
“...more than two-thirds of [Cyber Espionage]
incidents ... have featured phishing.” -Verizon
8. Incident Response
○Early 2000s to mid 2010s
○“Five Alarm Fire” Concept
○Kicked off by:
□Network security monitoring alerts
□Third party notification
□Public disclosure
○By the time you notice it is often too late
9. Hunting
○Concept originating in the US DoD
○Practice “Assume Breach” mentality
○Detection, Investigation, Response
□Deny, Degrade, Disrupt, Manipulate
“Fundamentally, if somebody wants to get in, they're getting in… Accept
that… What we tell clients is:
Number one, you're in the fight, whether you thought you were or not.
Number two, you're almost certainly are penetrated.”
Michael Hayden
Former Director of CIA & NSA
12. Image
○Analyst takes an infected machine offline, make
a hard drive image (bit for bit copy) and perform
forensic analysis
○Pros
□“Gold” Standard over past 2+ decades
□Repeatable results
□Allows for thorough analysis
○Cons
□Lose all volatile data
□Slow/non-scalable
13. Collection Scripts
○Analyst uses a script to collect forensically
relevant files often using third party binaries to
access certain files
□First step in automating DFIR processes
○Pros
□Speed
□Scalability
○Cons
□Often Messy (Not Forensically Sound)
□Third party dependencies (File Access, Artifact Parsing,
Remote support)
□Analysis done in vacuum
14. Live Response
○Analyst quickly triages key file system artifacts
in a forensically sound manner
□Merges some of the best attributes of Imaging and
Collection Scripts
□“Intelligent” Analysis – Where the analysis of one artifact
points the analyst in the direction of another
○Pros
□Speed/Scalability
□Forensically Sound
□Self contained
○Cons
□Repeatability
16. What is PowerShell
○Task-based command-line shell and
scripting language
○Built on the .NET Framework
□Cmdlets for performing common system
administration tasks
□Consistent design
□Powerful object manipulation capabilities
□Extensible interface (Modules)
○ Independent software vendors and enterprise developers can
build custom tools and utilities to administer their software.
□Full access to the Windows API
17. Requirements
○Centralized forensic toolset
○Forensically sound
□Parse raw disk structures
□Don’t alter NTFS timestamps
○Can execute on a live (running) host
○Operationally fast
□Collect forensic data in seconds or minutes
○Modular capabilities
□Cmdlets perform discrete tasks and can be tied
together for more complicated tasks
○Capable of working remotely
□At the proof of concept stage
19. What is Forensically
Sound?
“A forensically sound duplicate is obtained in a manner that does
not materially alter the source evidence, except to the minimum
extent necessary to obtain the evidence. The manner used to
obtain the evidence must be documented, and should be
justified to the extent applicable.” - Richard Bejtlich and Harlan
Carvey
31. Notification
○Time: 13 October 2015 18:31 UTC
○Hostname: WIN-KFGTOETNIFJ
○IP Address: 10.20.3.187
○Activity Description:
□At 18:31 UTC on 13 Oct 2015 a machine with IP
of 10.20.3.187 called out to a previously unseen
IP address of 10.20.3.191 (pretend this is a
domain :-D) over port 80. During this and a
number of additional connections analysts noticed
a sizeable amount of data transferred from the
internal asset to an external system (10.20.3.191).
34. Report
○Time: 13 October 2015 18:30 - 18:38 UTC
○At job to elevate to SYSTEM context
□Executed launcher.bat
○Implant appeared to use some combination of
PowerShell and WMI in implant
○Created staging directory named “exfil”
○Compressed three files to create an archive
called exfil.zip (which we recovered)
□hamburgerrecipes.txt
□finances.csv
□password.txt