SlideShare a Scribd company logo

What the Heck Just Happened?

Ken Evans, profile picture
Ken Evans

The document introduces digital forensics and incident response, outlining basic memory analysis using Mandiant Redline and intermediate file system analysis with Log2Timeline. It discusses classical incident response steps and emphasizes the importance of capturing volatile memory and disk images for thorough analysis. A detailed process is provided, including necessary tools and commands for executing the analysis effectively.

Technology
Related topics:
Digital Forensics Incident Response
1 of 56
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
What the Heck Just Happened? An Introduction to Digital Forensics for Incident Response Ken Evans Information Security Incident Response Lead Henry Ford Health Systems CISSP, GSEC, GCFA, GCFE Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf
What We’re Covering • Introduction to Digital Forensics • Basic memory analysis of a host with Mandiant Redline • Intermediate file system analysis of a host with Log2timeline
We Are NOT Covering… • Proper evidence handling procedures • Detailed information about forensic artifacts • About 165 tools in the SANS SIFT workstation • The best way to scale this for a business
To Get the Most Value From This Presentation • Don’t try to memorize the steps • Keep a high level view and go for the concepts • See if this looks useful or fun • Follow-up by getting the presentation and accessing the links at the end
The Scenario • You’re at work browsing when suddenly a popup window appears and then goes away immediately. • You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing. • Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine. • A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices. BUT…
Classical Incident Response Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned
Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned Incident Response with Full Intrusion Analysis Intrusion Analysis Memory Forensics Timeline Analysis File System Analysis Data Recovery
Our Approach Memory is VERY volatile, we need to capture it as soon as possible. We’ll use Mandiant Redline for this. Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make it harder to find the entries we want. We’ll take a disk image and create a Super Timeline for this.
Some Assembly Required 1. Examiner system (64-bit, 4 GB RAM for VMware support) 2. Installation of Mandiant Redline on the Examiner system 3. External storage, larger than memory 4. External storage, larger than the source hard drive 5. Ubuntu Desktop 14 install disc on DVD or bootable USB 6. Installation of VMware Player on Examiner system 7. Installation of SANS SIFT Workstation 3 on Examiner system 8. MS Excel or other spreadsheet program (macro compatible) For Memory Analysis: For Disk Image Analysis:
Mandiant Redline Overview Malware can sometimes hide in transit or on disk, but eventually… IT MUST EXECUTE And to do that it needs to use… MEMORY! Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.
Creating a Redline Collector Create a “Standard Collector” from Redline on your Examiner system.
Collector Option - Acquire Memory Image Make sure to Acquire Memory Image. Save the Collector to USB device.
Running the Redline Collector on the Subject Run Redline from the USB device with a command line session with elevated privileges.
Collector Can Take a While Depends mostly on: • Machine speed • RAM size • Disk speed
Time for the Subject Disk Image We need to capture a disk image without changing or corrupting the contents. One simple way to do this is to use Linux to read the disk. Professionals would use a write blocker or do a live capture here, but those are more complicated or need special equipment or software.
Boot Ubuntu Live CD on Subject System
Launch a Terminal Session
Escalate to Super User
Note the Source Drive with lsblk Source 30 GB drive device is /dev/sda2 Mounted external media is /media/ubuntu/FreeAgent Drive Note: In Linux, everything is a file.
Use the dd Command to Make a Disk Image File dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file
Image Can Take a While Depends mostly on: • Machine speed • Disk size • Disk speed
Analyze the Memory • Shutdown Ubuntu / Subject system • Hook the USB drive up to your Examiner system • Run Mandiant Redline
Open Collected Redline Data Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
Browse to your Collector Data Browse to the Collector data on the USB device.
Select the Time Stamped Audit Folder Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.
Browse to your Collector Data We don’t need the Advanced or Indicators of Compromise options. Click Next.
Hurry Up and Wait No time for movies, though!
Select the Full Live Response Option
Review the Processes
Closer Examination of svchost.exe
MRI Report for svchost.exe - 1
MRI Report for svchost.exe - 2
Analyze the Disk Image • Hook the USB drive up to your Examiner system • Launch Vmware Player • Launch SIFT Workstation • Make sure USB drive is readable (mounted) in the SIFT Workstation
Super Timeline Process Overview • Unbuntu desktop live CD boot, dd command 1. Acquire Image • Launch SIFT workstation, mount command 2. Mount image for processing • log2timeline command 3. Create comprehensive timeline • l2t_process command 4. Filter the timeline • Colorize, sort, and analyze 5. Apply colorization macro
What the Heck Just Happened?
SIFT Workstation 3.0
Escalate your Privileges to Super User
Mount the .dd Image mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams
Optional: Verify the Mount
Execute the log2timeline Command log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).
How to List the Format Options
How to List the Time Zones The “-z list” feature will let you see the complete list of time zones and the strings to use.
log2timeline Sample Run
Timeline Might Take a While Depends mostly on: • Machine speed • Disk speed • Age of machine / size of logs
Let’s Trim it Down The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.
l2t_process Command l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
l2t_process Command
l2t_process Command
Output of l2t_process This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.
Color Timeline Blog Entry 1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline- template-for-log2timeline-output-files
What Does the Color Template Do? The color template will apply the following colors to rows in the timeline file.
Look What We Found!
Log2timeline Command Format
Summary • We used Mandiant Redline to do a quick memory analysis to find out if we had a problem • svchost.exe was called out by Redline • We followed it up with a more detailed file system analysis • We found a svchost.exe call in the middle of several other events of note
Resources - 1 SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident- response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super- timeline-template-for-log2timeline-output-files
Resources - 2 Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis- tool-for-threat-assessments Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf

More Related Content

PDF
Cs8493 unit 5
Kathirvel Ayyaswamy
 
PDF
Red Hat Training
Open Source Group
 
PPTX
Daemons
christina555
 
PDF
fall2013
Will Dixon
 
PPTX
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
PPT
Lesson 5 - Managing Devices
Gene Carboni
 
PDF
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
PDF
DTraceCloud2012
Brendan Gregg
 
Cs8493 unit 5
Kathirvel Ayyaswamy
 
Red Hat Training
Open Source Group
 
Daemons
christina555
 
fall2013
Will Dixon
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
Lesson 5 - Managing Devices
Gene Carboni
 
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
DTraceCloud2012
Brendan Gregg
 

What's hot (18)

PPT
Live Memory Forensics on Android devices
Nikos Gkogkos
 
PDF
CS9222 Advanced Operating System
Kathirvel Ayyaswamy
 
PPTX
Process Management in Android
Shrey Verma
 
PDF
Making Linux do Hard Real-time
National Cheng Kung University
 
PDF
AOS Lab 5: System calls
Zubair Nabi
 
PPT
Operating System 3
tech2click
 
PDF
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
PPT
Unix memory management
Tech_MX
 
PDF
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Ahmed El-Arabawy
 
PDF
LISA15: systemd, the Next-Generation Linux System Manager
Alison Chaiken
 
PPT
Mac Memory Analysis with Volatility
Andrew Case
 
PDF
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
PPTX
Device Drivers and Running Modules
YourHelper1
 
PDF
Linux Performance Analysis and Tools
Brendan Gregg
 
PPT
Ch04
Raja Waseem Akhtar
 
TXT
Readme
Joao MEndes
 
PPT
Chapter 3: Processes
Shafaan Khaliq Bhatti
 
PDF
Unit 4
pm_ghate
 
Live Memory Forensics on Android devices
Nikos Gkogkos
 
CS9222 Advanced Operating System
Kathirvel Ayyaswamy
 
Process Management in Android
Shrey Verma
 
Making Linux do Hard Real-time
National Cheng Kung University
 
AOS Lab 5: System calls
Zubair Nabi
 
Operating System 3
tech2click
 
2010 2013 sandro suffert memory forensics introdutory work shop - public
Sandro Suffert
 
Unix memory management
Tech_MX
 
Embedded Systems: Lecture 7: Lab 1: Preparing the Raspberry Pi
Ahmed El-Arabawy
 
LISA15: systemd, the Next-Generation Linux System Manager
Alison Chaiken
 
Mac Memory Analysis with Volatility
Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Device Drivers and Running Modules
YourHelper1
 
Linux Performance Analysis and Tools
Brendan Gregg
 
Ch04
Raja Waseem Akhtar
 
Readme
Joao MEndes
 
Chapter 3: Processes
Shafaan Khaliq Bhatti
 
Unit 4
pm_ghate
 
Ad

Similar to What the Heck Just Happened? (20)

DOCX
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
PDF
sift_cheat_sheet.pdf
NaveenVarma Chintalapati
 
PDF
SACON - Windows Forensic (Dr. Phil Polstra)
Priyanka Aash
 
PDF
(SACON) Dr. Phil Polstra - windows & linux forensics
Priyanka Aash
 
PDF
MNSEC 2018 - Windows forensics
MNCERT
 
PDF
Debian Linux as a Forensic Workstation
Vipin George
 
PDF
Workshop 2 revised
peterchanws
 
PDF
kbrgwillis.pdf
Kblblkb
 
PPT
Digital Forensic Tools - Application Specific.
guestcf6f5b
 
PPT
Digital Forensic tools - Application Specific
ideaflashed
 
PPTX
Deft
saddamhusain hadimani
 
PDF
dataacquisition.pdf
Jayaprasanna4
 
PPTX
Data Acquisition
primeteacher32
 
PPTX
Forensic imaging
DINESH KAMBLE
 
PDF
File000173
Desmond Devendran
 
PDF
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
PPTX
Deft v7
TGodfrey
 
PDF
Accessioning Born-Digital Materials
peterchanws
 
PDF
SCA Accessioning Born-Digital Materials Workshop, Nov. 8, 2012
peterchanws
 
PPT
Guide to computer forensics and investigation.ppt
MaluOffice
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
sift_cheat_sheet.pdf
NaveenVarma Chintalapati
 
SACON - Windows Forensic (Dr. Phil Polstra)
Priyanka Aash
 
(SACON) Dr. Phil Polstra - windows & linux forensics
Priyanka Aash
 
MNSEC 2018 - Windows forensics
MNCERT
 
Debian Linux as a Forensic Workstation
Vipin George
 
Workshop 2 revised
peterchanws
 
kbrgwillis.pdf
Kblblkb
 
Digital Forensic Tools - Application Specific.
guestcf6f5b
 
Digital Forensic tools - Application Specific
ideaflashed
 
Deft
saddamhusain hadimani
 
dataacquisition.pdf
Jayaprasanna4
 
Data Acquisition
primeteacher32
 
Forensic imaging
DINESH KAMBLE
 
File000173
Desmond Devendran
 
CNIT 121: 12 Investigating Windows Systems (Part 1 of 3)
Sam Bowne
 
Deft v7
TGodfrey
 
Accessioning Born-Digital Materials
peterchanws
 
SCA Accessioning Born-Digital Materials Workshop, Nov. 8, 2012
peterchanws
 
Guide to computer forensics and investigation.ppt
MaluOffice
 
Ad

Recently uploaded (20)

PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
August Patch Tuesday
Ivanti
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Modernising the Digital Integration Hub
Daniel Toomey
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
project resource management chapter-09.pdf
ssuser00e6e21
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 

What the Heck Just Happened?

  • 1. What the Heck Just Happened? An Introduction to Digital Forensics for Incident Response Ken Evans Information Security Incident Response Lead Henry Ford Health Systems CISSP, GSEC, GCFA, GCFE Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf
  • 2. What We’re Covering • Introduction to Digital Forensics • Basic memory analysis of a host with Mandiant Redline • Intermediate file system analysis of a host with Log2timeline
  • 3. We Are NOT Covering… • Proper evidence handling procedures • Detailed information about forensic artifacts • About 165 tools in the SANS SIFT workstation • The best way to scale this for a business
  • 4. To Get the Most Value From This Presentation • Don’t try to memorize the steps • Keep a high level view and go for the concepts • See if this looks useful or fun • Follow-up by getting the presentation and accessing the links at the end
  • 5. The Scenario • You’re at work browsing when suddenly a popup window appears and then goes away immediately. • You look at your system for a minute, don’t see anything amiss, shrug your shoulders and keep browsing. • Thirty minutes later the help desk calls you and asks why you are pinging an RBN command and control server in the Ukraine. • A virus scan and a reboot later, no one sees any problem, and the traffic has stopped, so they leave you to your own devices. BUT…
  • 6. Classical Incident Response Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned
  • 7. Preparation Identification and Scoping Containment / Intelligence Gathering Eradication / Remediation Recovery Follow Up / Lessons Learned Incident Response with Full Intrusion Analysis Intrusion Analysis Memory Forensics Timeline Analysis File System Analysis Data Recovery
  • 8. Our Approach Memory is VERY volatile, we need to capture it as soon as possible. We’ll use Mandiant Redline for this. Logs and other artifacts on the disk are also volatile, in that they can decay and additional noise can make it harder to find the entries we want. We’ll take a disk image and create a Super Timeline for this.
  • 9. Some Assembly Required 1. Examiner system (64-bit, 4 GB RAM for VMware support) 2. Installation of Mandiant Redline on the Examiner system 3. External storage, larger than memory 4. External storage, larger than the source hard drive 5. Ubuntu Desktop 14 install disc on DVD or bootable USB 6. Installation of VMware Player on Examiner system 7. Installation of SANS SIFT Workstation 3 on Examiner system 8. MS Excel or other spreadsheet program (macro compatible) For Memory Analysis: For Disk Image Analysis:
  • 10. Mandiant Redline Overview Malware can sometimes hide in transit or on disk, but eventually… IT MUST EXECUTE And to do that it needs to use… MEMORY! Mandiant Redline is a great way to visually analyze the memory on your machine to look for problems.
  • 11. Creating a Redline Collector Create a “Standard Collector” from Redline on your Examiner system.
  • 12. Collector Option - Acquire Memory Image Make sure to Acquire Memory Image. Save the Collector to USB device.
  • 13. Running the Redline Collector on the Subject Run Redline from the USB device with a command line session with elevated privileges.
  • 14. Collector Can Take a While Depends mostly on: • Machine speed • RAM size • Disk speed
  • 15. Time for the Subject Disk Image We need to capture a disk image without changing or corrupting the contents. One simple way to do this is to use Linux to read the disk. Professionals would use a write blocker or do a live capture here, but those are more complicated or need special equipment or software.
  • 16. Boot Ubuntu Live CD on Subject System
  • 17. Launch a Terminal Session
  • 19. Note the Source Drive with lsblk Source 30 GB drive device is /dev/sda2 Mounted external media is /media/ubuntu/FreeAgent Drive Note: In Linux, everything is a file.
  • 20. Use the dd Command to Make a Disk Image File dd Command Syntax if = input “file” of = output file bs = bytes to copy (i.e. buffer size) conv= convert flags noerror = continue if you get an error notrunc = do not truncate the output file
  • 21. Image Can Take a While Depends mostly on: • Machine speed • Disk size • Disk speed
  • 22. Analyze the Memory • Shutdown Ubuntu / Subject system • Hook the USB drive up to your Examiner system • Run Mandiant Redline
  • 23. Open Collected Redline Data Click on upper-left “R” symbol for menu, and select Analyze Collected Data.
  • 24. Browse to your Collector Data Browse to the Collector data on the USB device.
  • 25. Select the Time Stamped Audit Folder Drill down through the Redline directory until you get to the folder that is based on the date the collector ran. Then click the Select Folder button.
  • 26. Browse to your Collector Data We don’t need the Advanced or Indicators of Compromise options. Click Next.
  • 27. Hurry Up and Wait No time for movies, though!
  • 28. Select the Full Live Response Option
  • 30. Closer Examination of svchost.exe
  • 31. MRI Report for svchost.exe - 1
  • 32. MRI Report for svchost.exe - 2
  • 33. Analyze the Disk Image • Hook the USB drive up to your Examiner system • Launch Vmware Player • Launch SIFT Workstation • Make sure USB drive is readable (mounted) in the SIFT Workstation
  • 34. Super Timeline Process Overview • Unbuntu desktop live CD boot, dd command 1. Acquire Image • Launch SIFT workstation, mount command 2. Mount image for processing • log2timeline command 3. Create comprehensive timeline • l2t_process command 4. Filter the timeline • Colorize, sort, and analyze 5. Apply colorization macro
  • 37. Escalate your Privileges to Super User
  • 38. Mount the .dd Image mount Command Syntax [options] sourcefile mountpoint -o = options flag ro = read-only loop = loopback show_sys_files = yes, show them streams_interface = how to interpret alternate data streams
  • 40. Execute the log2timeline Command log2timeline Command Syntax [options] [-f format] [-z timezone] log_file [-w bodyfile] -p = preprocess (trust me, you want it) -r = recursive -f = format. There are several, check the docs for your type (-f list). -z = timezone. Use the timezone for the subject. Check the docs for the string …….(-z list).
  • 41. How to List the Format Options
  • 42. How to List the Time Zones The “-z list” feature will let you see the complete list of time zones and the strings to use.
  • 44. Timeline Might Take a While Depends mostly on: • Machine speed • Disk speed • Age of machine / size of logs
  • 45. Let’s Trim it Down The resulting file will be between hundreds of thousands and a couple million entries. Yuck. Let’s focus on our pivot point.
  • 46. l2t_process Command l2t_process Command Syntax l2t_process [OPTIONS] -b CSV_FILE [DATE_RANGE] Where DATE_RANGE is MM-DD-YYYY or MM-DD-YYYY..MM-DD-YYYY NOTE: Make sure to process at least 1 full day (e.g. 23rd to 24th in this example)
  • 49. Output of l2t_process This is a date filtered file, with all the duplicates removed. We still have 80K entries for 1 day, but we are closer.
  • 50. Color Timeline Blog Entry 1. Download it - Open Timeline Color Template 2. Switch to Color Timeline worksheet/tab 3. Click on Cell A-1 4. Select 'DATA' Ribbon 5. Import Data "FROM TEXT" 6. Select log2timeline.csv file 7. TEXT IMPORT WIZARD Will Start 8. Step 1 -> Select Delimited ->Select NEXT 9. Step 2 -> Unselect Tab under Delimiters -> Select Comma under Delimiters -> Select NEXT > 10. Step 3 ->Select Finish 11. Where do you want to put the data? Simply Select OK. 12. Once imported View -> Freeze Panes -> Freeze Top Row 13. Optional Hide Columns Timzone, User, Host, Short or Desc (keep one of these), Version 14. Select HOME Ribbon 15. Select all Cells "CTRL-A" 16. In Home Ribbon -> Sort and Filter - Filter http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline- template-for-log2timeline-output-files
  • 51. What Does the Color Template Do? The color template will apply the following colors to rows in the timeline file.
  • 52. Look What We Found!
  • 54. Summary • We used Mandiant Redline to do a quick memory analysis to find out if we had a problem • svchost.exe was called out by Redline • We followed it up with a more detailed file system analysis • We found a svchost.exe call in the middle of several other events of note
  • 55. Resources - 1 SANS SIFT Workstation 3.0 Download http://digital-forensics.sans.org/community/downloads SANS SIFT Workstation Blog http://digital-forensics.sans.org/blog/category/sift-workstation SANS SIFT Workstation YouTube series https://www.youtube.com/playlist?list=PL60DFAE759FCDF36A Super Timeline Creation Cheat Sheet http://blogs.sans.org/computer-forensics/files/2011/12/digital-forensics-incident- response-log2timeline-timeline-cheatsheet.pdf Timeline Colorization Template Instructions http://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super- timeline-template-for-log2timeline-output-files
  • 56. Resources - 2 Mandiant Redline Download https://www.mandiant.com/resources/download/redline Example: Use the Mandiant Redline memory analysis tool for threat assessments http://searchsecurity.techtarget.com/video/Use-the-Mandiant-Redline-memory-analysis- tool-for-threat-assessments Kevans.infosec@gmail.com http://csc-hub.com/what_the_heck.pdf