Earlier this year, SANS created the most in-depth incident response training scenario that spans multiple systems in FOR508: Advanced Forensic Analysis and Incident Response. We discussed the entire scenario in a blog titled: “Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results”
One of the biggest complaints that many have in the DFIR community is the lack of realistic data to learn from. Starting a year ago, I planned to change that through creating a realistic scenario based on experiences from the entire cadre of instructors at SANS and additional experts who reviewed and advised the attack “script”. We created an incredibly rich and realistic attack scenario across multiple windows-based systems in enterprise environment. The attack scenario was created for the new FOR508: Advanced Forensics and Incident Response course. Our main goal was to place the student in the middle of a real attack that they have to response to.
The purpose is to give attendees of the new FOR508 real filesystem and memory images that they will examine in class to detect, identify, and forensicate APT-based activities across these systems in class. The goal is to give students who attend the course “real world” data to analyze. The goal was to create attack data to use in our courses at SANS so our students could have a direct feel for what it is like to investigate advanced adversaries.
As a part of that exercise, the main spearphishing attack was the result of a Java Applet attack. It can be clearly seen in this super timeline created as a part of the course. We find the exact pivot point in the timeline using memory analysis – both Redline from MANDIANT and Volatility in the SIFT Workstation.
Over the past few weeks, many capabilities have been created to parse the JAVA based malware specifically in the IDX files that can be seen as a part of this attack.
IDX Format Links:
- ForensicsWiki Java by Joachim Metz (thanks to Corey Harrell for pointing this out)
- Java IDX Format by Mark Woan
IDX Parsing Tools:
If you would like to work with some idx file residue from the attack supertimeline shown above, you can download the AD1 file we created with the embedded .exe malware in addition to the two .idx files that were connected to the original attack listed above. The password for the file is “sansforensics” and if you don’t know how to open an AD1 Custom Content image file, you might download FTK Imager and try opening it there.
Java IDX Sample Files:
Note: By downloading the zipfile, you consent automatically to the following agreement: I certify that by having access to tools and programs that can be used to break or “hack” into systems, that I will only use them in an ethical, professional and legal manner. This means that I will only use them to test the current strength of security network so that proper improvements can be made. I will always get permission before running any of these tools on a network. If for some reason I do not use these tools in a proper manner, I do not hold SANS liable and accept full responsibility for my actions.