Slides for Jared Atkinson's talk at BSidesDC titled "**** it, Do It Live (PowerShell Digital Forensics)". The presentation was given on 17 October 2015

1. **** it, Do It Live!
(PowerShell Digital Forensics)
Jared Atkinson
Veris Group’s Adaptive Threat Division

2. Special Thanks
○This tool and presentation would not be possible
if it wasn’t for the help and phenomenal work
from these people:
□Matt Graeber (PowerShell Wizardry)
□Richard Russon (Linux-NTFS Project)
□Joachim Metz (Libyal Project)
□Jeff Bryner (NBDServer)
□Carlos Perez (PowerShell Binary Module)
□David Cowan (NTFS Triforce)
□Ange Albertini (Corkami)
□Phil Polstra (Linux Forensics)
□James Habben (NTFS Fixup Values)

3. @jaredcatkinson
○Jared Atkinson
□Hunt Capability Lead for Adaptive Threat Division
○ Leads the service line responsible for proactive detection
and response to advanced threats in Fortune 100
commercial environments
□2015 Black Hat Minesweeper Champion
□Moderator of the PowerShell.com “Security Forum”
□Developer of PowerForensics, Uproot IDS, and
WMIEventing
□Researcher of forensic artifact file formats
□History
○ U.S. Air Force Hunt (2011 - 2015)
○ GCFA, GCWN, GREM, etc.

4. Hunting
Philosophy
To Hunt, or not to Hunt...

5. Intrusions

6. Cyber Kill Chain
○F2T2EA
□Find, Fix, Target, Track, Engage, Assess
○Adapted from Lockheed Martin White Paper
○Any broken link will affect the entire chain

7. Prevention
○Prevailing Network Defense Concept for much
of the 90s and 2000s
○Goal of stopping attacks at the perimeter
□ Glory years of “Server Side Exploits”
○Largely failed due to rise in the popularity of
“Client Side”attacks
“...more than two-thirds of [Cyber Espionage]
incidents ... have featured phishing.” -Verizon

8. Incident Response
○Early 2000s to mid 2010s
○“Five Alarm Fire” Concept
○Kicked off by:
□Network security monitoring alerts
□Third party notification
□Public disclosure
○By the time you notice it is often too late

9. Hunting
○Concept originating in the US DoD
○Practice “Assume Breach” mentality
○Detection, Investigation, Response
□Deny, Degrade, Disrupt, Manipulate
“Fundamentally, if somebody wants to get in, they're getting in… Accept
that… What we tell clients is:
Number one, you're in the fight, whether you thought you were or not.
Number two, you're almost certainly are penetrated.”
Michael Hayden
Former Director of CIA & NSA

10. Evolution of
Forensics
“Intelligence is based on how efficient a
species became at doing the things they
need to survive.” -Charles Darwin

11. Investigation
Evolution
Image
Collection
Scripts
Live
Response

12. Image
○Analyst takes an infected machine offline, make
a hard drive image (bit for bit copy) and perform
forensic analysis
○Pros
□“Gold” Standard over past 2+ decades
□Repeatable results
□Allows for thorough analysis
○Cons
□Lose all volatile data
□Slow/non-scalable

13. Collection Scripts
○Analyst uses a script to collect forensically
relevant files often using third party binaries to
access certain files
□First step in automating DFIR processes
○Pros
□Speed
□Scalability
○Cons
□Often Messy (Not Forensically Sound)
□Third party dependencies (File Access, Artifact Parsing,
Remote support)
□Analysis done in vacuum

14. Live Response
○Analyst quickly triages key file system artifacts
in a forensically sound manner
□Merges some of the best attributes of Imaging and
Collection Scripts
□“Intelligent” Analysis – Where the analysis of one artifact
points the analyst in the direction of another
○Pros
□Speed/Scalability
□Forensically Sound
□Self contained
○Cons
□Repeatability

15. Response
PowerForensics
Old Dog, New Tricks
Detection Investigation

16. What is PowerShell
○Task-based command-line shell and
scripting language
○Built on the .NET Framework
□Cmdlets for performing common system
administration tasks
□Consistent design
□Powerful object manipulation capabilities
□Extensible interface (Modules)
○ Independent software vendors and enterprise developers can
build custom tools and utilities to administer their software.
□Full access to the Windows API

17. Requirements
○Centralized forensic toolset
○Forensically sound
□Parse raw disk structures
□Don’t alter NTFS timestamps
○Can execute on a live (running) host
○Operationally fast
□Collect forensic data in seconds or minutes
○Modular capabilities
□Cmdlets perform discrete tasks and can be tied
together for more complicated tasks
○Capable of working remotely
□At the proof of concept stage

18. Forensics Toolbox

19. What is Forensically
Sound?
“A forensically sound duplicate is obtained in a manner that does
not materially alter the source evidence, except to the minimum
extent necessary to obtain the evidence. The manner used to
obtain the evidence must be documented, and should be
justified to the extent applicable.” - Richard Bejtlich and Harlan
Carvey

23. Fast?!?

24. Get-BootSector
Boot Sector
Get-MBR Get-GPT
Get-PartitionTable

25. NTFS Structures
Get-VolumeBootRecord
Get-FileRecord
Get-FileRecordIndex

26. NTFS System Files
Get-AttrDef Get-BadClus Get-Bitmap
Get-UsnJrnlGet-UsnJrnlInformation
Get-VolumeInformation Get-VolumeName

27. Windows Registry
Get-RegistryKey
Get-Amcache Get-NetworkList
Get-Timezone Get-UserAssist
Get-RegistryValue

28. Utility Cmdlets
Copy-FileRaw
Get-AlternateDataStream
Get-ChilditemRaw
Get-ContentRaw
Get-Prefetch Get-ScheduledJobRaw
Invoke-DD

29. Linux Support
Get-Superblock
Get-BlockGroupDescriptor
Get-Inode

30. Investigation Demo
My sacrifice to the demo gods…

31. Notification
○Time: 13 October 2015 18:31 UTC
○Hostname: WIN-KFGTOETNIFJ
○IP Address: 10.20.3.187
○Activity Description:
□At 18:31 UTC on 13 Oct 2015 a machine with IP
of 10.20.3.187 called out to a previously unseen
IP address of 10.20.3.191 (pretend this is a
domain :-D) over port 80. During this and a
number of additional connections analysts noticed
a sizeable amount of data transferred from the
internal asset to an external system (10.20.3.191).

32. Investigation Demo
https://youtu.be/YaYhl6c3S2U

33. File Recovery
Demo
https://youtu.be/0vndpNbWbIw

34. Report
○Time: 13 October 2015 18:30 - 18:38 UTC
○At job to elevate to SYSTEM context
□Executed launcher.bat
○Implant appeared to use some combination of
PowerShell and WMI in implant
○Created staging directory named “exfil”
○Compressed three files to create an archive
called exfil.zip (which we recovered)
□hamburgerrecipes.txt
□finances.csv
□password.txt

35. Attack Demo
https://youtu.be/aZxnIUOwb6E

36. The Future
The Shiny Shiny Future

37. Moving Forward
○More artifacts!!
□ESE database support (SRUM, NTDS.dit, etc.)
○Support for alternate file systems
□Windows: FAT12, FAT16, FAT32, exFAT
□Linux: Ext2, Ext3, Ext4
□Mac: HFS+
○Online documentation (Open API)
○Community Involvement!!!
○Organic Remoting
□Network Block Device (NBD) to the rescue

38. @jaredcatkinson
https://github.com/Invoke-IR/PowerForensics
https://github.com/Invoke-IR/PowerForensics_Source
Any questions?