BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
Download as PPTX, PDF7 likes3,987 views
The document discusses the evolution of digital forensics, particularly focusing on PowerShell as a powerful tool for data collection and incident response. It highlights the importance of a 'hunt' mentality in cybersecurity and the effectiveness of live response techniques compared to traditional imaging methods. Additionally, it emphasizes ongoing advancements and community involvement in the development of forensic tools and capabilities.
![Prevention
○Prevailing Network Defense Concept for much
of the 90s and 2000s
○Goal of stopping attacks at the perimeter
□ Glory years of “Server Side Exploits”
○Largely failed due to rise in the popularity of
“Client Side”attacks
“...more than two-thirds of [Cyber Espionage]
incidents ... have featured phishing.” -Verizon](https://image.slidesharecdn.com/bsidesdc-151018213104-lva1-app6891/85/BSidesDC-it-Do-It-Live-PowerShell-Digital-Forensics-7-320.jpg)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
- 1. **** it, Do It Live! (PowerShell Digital Forensics) Jared Atkinson Veris Group’s Adaptive Threat Division
- 2. Special Thanks ○This tool and presentation would not be possible if it wasn’t for the help and phenomenal work from these people: □Matt Graeber (PowerShell Wizardry) □Richard Russon (Linux-NTFS Project) □Joachim Metz (Libyal Project) □Jeff Bryner (NBDServer) □Carlos Perez (PowerShell Binary Module) □David Cowan (NTFS Triforce) □Ange Albertini (Corkami) □Phil Polstra (Linux Forensics) □James Habben (NTFS Fixup Values)
- 3. @jaredcatkinson ○Jared Atkinson □Hunt Capability Lead for Adaptive Threat Division ○ Leads the service line responsible for proactive detection and response to advanced threats in Fortune 100 commercial environments □2015 Black Hat Minesweeper Champion □Moderator of the PowerShell.com “Security Forum” □Developer of PowerForensics, Uproot IDS, and WMIEventing □Researcher of forensic artifact file formats □History ○ U.S. Air Force Hunt (2011 - 2015) ○ GCFA, GCWN, GREM, etc.
- 4. Hunting Philosophy To Hunt, or not to Hunt...
- 5. Intrusions
- 6. Cyber Kill Chain ○F2T2EA □Find, Fix, Target, Track, Engage, Assess ○Adapted from Lockheed Martin White Paper ○Any broken link will affect the entire chain
- 7. Prevention ○Prevailing Network Defense Concept for much of the 90s and 2000s ○Goal of stopping attacks at the perimeter □ Glory years of “Server Side Exploits” ○Largely failed due to rise in the popularity of “Client Side”attacks “...more than two-thirds of [Cyber Espionage] incidents ... have featured phishing.” -Verizon
- 8. Incident Response ○Early 2000s to mid 2010s ○“Five Alarm Fire” Concept ○Kicked off by: □Network security monitoring alerts □Third party notification □Public disclosure ○By the time you notice it is often too late
- 9. Hunting ○Concept originating in the US DoD ○Practice “Assume Breach” mentality ○Detection, Investigation, Response □Deny, Degrade, Disrupt, Manipulate “Fundamentally, if somebody wants to get in, they're getting in… Accept that… What we tell clients is: Number one, you're in the fight, whether you thought you were or not. Number two, you're almost certainly are penetrated.” Michael Hayden Former Director of CIA & NSA
- 10. Evolution of Forensics “Intelligence is based on how efficient a species became at doing the things they need to survive.” -Charles Darwin
- 12. Image ○Analyst takes an infected machine offline, make a hard drive image (bit for bit copy) and perform forensic analysis ○Pros □“Gold” Standard over past 2+ decades □Repeatable results □Allows for thorough analysis ○Cons □Lose all volatile data □Slow/non-scalable
- 13. Collection Scripts ○Analyst uses a script to collect forensically relevant files often using third party binaries to access certain files □First step in automating DFIR processes ○Pros □Speed □Scalability ○Cons □Often Messy (Not Forensically Sound) □Third party dependencies (File Access, Artifact Parsing, Remote support) □Analysis done in vacuum
- 14. Live Response ○Analyst quickly triages key file system artifacts in a forensically sound manner □Merges some of the best attributes of Imaging and Collection Scripts □“Intelligent” Analysis – Where the analysis of one artifact points the analyst in the direction of another ○Pros □Speed/Scalability □Forensically Sound □Self contained ○Cons □Repeatability
- 15. Response PowerForensics Old Dog, New Tricks Detection Investigation
- 16. What is PowerShell ○Task-based command-line shell and scripting language ○Built on the .NET Framework □Cmdlets for performing common system administration tasks □Consistent design □Powerful object manipulation capabilities □Extensible interface (Modules) ○ Independent software vendors and enterprise developers can build custom tools and utilities to administer their software. □Full access to the Windows API
- 17. Requirements ○Centralized forensic toolset ○Forensically sound □Parse raw disk structures □Don’t alter NTFS timestamps ○Can execute on a live (running) host ○Operationally fast □Collect forensic data in seconds or minutes ○Modular capabilities □Cmdlets perform discrete tasks and can be tied together for more complicated tasks ○Capable of working remotely □At the proof of concept stage
- 19. What is Forensically Sound? “A forensically sound duplicate is obtained in a manner that does not materially alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented, and should be justified to the extent applicable.” - Richard Bejtlich and Harlan Carvey
- 23. Fast?!?
- 26. NTFS System Files Get-AttrDef Get-BadClus Get-Bitmap Get-UsnJrnlGet-UsnJrnlInformation Get-VolumeInformation Get-VolumeName
- 27. Windows Registry Get-RegistryKey Get-Amcache Get-NetworkList Get-Timezone Get-UserAssist Get-RegistryValue
- 30. Investigation Demo My sacrifice to the demo gods…
- 31. Notification ○Time: 13 October 2015 18:31 UTC ○Hostname: WIN-KFGTOETNIFJ ○IP Address: 10.20.3.187 ○Activity Description: □At 18:31 UTC on 13 Oct 2015 a machine with IP of 10.20.3.187 called out to a previously unseen IP address of 10.20.3.191 (pretend this is a domain :-D) over port 80. During this and a number of additional connections analysts noticed a sizeable amount of data transferred from the internal asset to an external system (10.20.3.191).
- 34. Report ○Time: 13 October 2015 18:30 - 18:38 UTC ○At job to elevate to SYSTEM context □Executed launcher.bat ○Implant appeared to use some combination of PowerShell and WMI in implant ○Created staging directory named “exfil” ○Compressed three files to create an archive called exfil.zip (which we recovered) □hamburgerrecipes.txt □finances.csv □password.txt
- 36. The Future The Shiny Shiny Future
- 37. Moving Forward ○More artifacts!! □ESE database support (SRUM, NTDS.dit, etc.) ○Support for alternate file systems □Windows: FAT12, FAT16, FAT32, exFAT □Linux: Ext2, Ext3, Ext4 □Mac: HFS+ ○Online documentation (Open API) ○Community Involvement!!! ○Organic Remoting □Network Block Device (NBD) to the rescue