The new version of SOF-ELK is here. Download, turn on, and get going on forensics analysis.

 

Sof-Elk (Horizontal)

We are excited to announce the release of an all-new version of the free SOF-ELK®, or Security Operation and Forensics ELK virtual machine. Now based on the new version of the Elastic Stack, SOF-ELK is a complete rebuild that is faster and more effortless than its predecessors, making forensic and security data analysis easier than ever.

 

Since its introduction about five years ago, there have been more than 10,000 downloads of SOF-ELK around the world by computer forensic investigators and information security operations personnel in the government, law enforcement and commercial sectors. The SOF-ELK platform is a customized build of the open source ELK stack, consisting of the Elasticsearch storage and search engine, Logstash ingestion and enrichment component, and the Kibana dashboard frontend.

 

SOF-ELK was always designed to help minimize the typically long and involved setup process the ELK stack requires by delivering a pre-built virtual appliance that can be downloaded in a ready-to-use state. It can consume various source data types (numerous log types as well as NetFlow), parses out the most critical data fields, and presents it on several stock dashboards. Users can also build custom data visualizations that suit their own investigative or operational requirements (and because of the fully open source nature of the project, can choose to contribute those custom builds back to the primary code repository). Learn more about the SOF-ELK distribution.

 

The new version of SOF-ELK has been rebuilt from the ground up to take advantage of the new version of the Elastic Stack software and uses all of the Elastic Stack’s components. This required a total rebuild of all dashboards and supporting scripts. Simply download this distribution, turn it on, feed it some data and begin analysis. It’s that easy.

 

The SANS team has performed extensive testing of this distribution of the SOF-ELK platform. The new version’s most immediate benefits are its speed and refreshed browser interface. This is faster and easier to use and can visualize massive amounts of data through the dashboards. We also expect faster development cycles. Here are some more changes in the new SOF-ELK:

 

  • Supports the latest updates on the kernel and all CentOS packages.
  • Includes new parsers from upstream and community contributions.
  • Rebuilt and revalidated all Logstash parsers against latest syntax
  • Better handles dynamic (boot-time) memory allocation for Elasticsearch.
  • Rebuilt all Kibana dashboards to handle updated index mappings and field names
  • IPv6 addresses can now be handled as IPs instead of strings
  • Features many under-the hood changes that will make our roadmap much smoother in the future

The SOF-ELK platform was initially developed for SANS FOR572, Advanced Network Forensics and Analysis, and is now used in SANS SEC555, SIEM with Tactical Analysis. Additional course integrations are being actively worked at this time and considered for future versions. However, SOF-ELK was always designed as a free resource for the digital forensic and broader information security communities at large – a ready-to-use appliance that teams can use without having to invest the many hours into deploying, configuring, and maintaining an Elastic Stack instance. We hope you check out the latest version of the SOF-ELK distribution.SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, incident Response, and Security Operations

____________________________________________________________________________________

JOIN THIS WEBCAST TO FIND OUT MORE: 
SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, Incident Response, and Security Operations

  • When: Tuesday, March 5th, 2019 at 1:00 PM EST 
  • Conducted by Phil Hagen
  • Register now

Overview

There is no shortage of digital evidence, with many DFIR and Security Operations teams handling terabytes of log and network data per week. This amount of data presents unique challenges, and many tools are simply inadequate at such a large scale. Commercial platforms that are up to the task are often far out of budgetary reach for small- and medium-sized organizations.

The Elastic Stack, a big data storage and analysis platform, has become increasingly popular due to its scalability and open-source components. Countless investigative and security teams have incorporated Elastic into their toolkits, often realizing the significant level of effort required to customize and manage such a powerful tool. To overcome some of these hurdles, the SOF-ELK platform was created. SOF-ELK aims to be an appliance-like virtual machine that is preconfigured to ingest and parse several hundred different types of log entries, as well as NetFlow data. The intent is to provide analysts and investigators with a tool that leverages the power of the Elastic Stack with minimal setup time and effort. Originally a part of the SANS FOR572, Advanced Network Forensics & Threat Hunting course, SOF-ELK has been incorporated into additional SANS courses and is released as a free and open-source platform for the overall security community.

In this webcast, we will explore SOF-ELKs use cases, types of log data currently supported, as well as how to load data from live or archived sources. We will also show the various dashboards supplied with the VM and show how new features can be activated through the projects GitHub repository.

Top 11 Reasons Why You Should NOT Miss the SANS DFIR Summit and Training this Year

The SANS DFIR Summit and Training 2018 is turning 11! The 2018 event marks 11 years since SANS started what is today the digital forensics and incident response event of the year, attended by forensicators time after time. Join us and enjoy the latest in-depth presentations from influential DFIR experts and the opportunity to take an array of hands-on SANS DFIR courses. You can also earn CPE credits and get the opportunity to win coveted DFIR course coins!

summit video pic

To commemorate the 11th annual DFIR Summit and Training 2018, here are 11 reasons why you should NOT miss the Summit this year:

1.     Save money! There are two ways to save on your DFIR Summit & Training registration (offers cannot be combined):

·       Register for a DFIR course by May 7 and get 50% off a Summit seat (discount automatically applied at registration), or

·       Pay by April 19 and save $400 on any 4-day or 6-day course, or up to $200 off of the Summit. Enter code “EarlyBird18” when registering.

2.     Check out our jam-packed DFIR Summit agenda!

·       The two-day Summit will kick off with a keynote presentation by Kim Zetter, an award-winning journalist who has provided the industry with the most in-depth and important investigative reporting on information security topics. Her research on such topical issues as Stuxnet and election security has brought critical technical issues to the public in a way that clearly shows why we must continue to push the security industry forward.

·       The Summit agenda will also include a presentation about the Shadow Brokers, the group that allegedly leaked National Security Agency cyber tools, leading to some of the most significant cybersecurity incidents of 2017. Jake Williams and Matt Suiche, who were among those targeted by the Shadow Brokers, will cover the history of the group and the implications of its actions.

·       All DFIR Summit speakers are industry experts who practice digital forensics, incident response, and threat hunting in their daily jobs. The Summit Advisory Board handpicked these professionals to provide you with highly technical presentations that will give you a brand-new perspective of how the industry is evolving to fight against even the toughest of adversaries. But don’t take our word for it, have a sneak peek, check out some of the past DFIR Summit talks.

kaplan

Immerse yourself in six days of the best in SANS DFIR training. Here are the courses you can choose from:

·       FOR500 – Advanced Windows Forensics

·       FOR585 – Advanced Smartphone Forensics

·       FOR610 – Reverse-Engineering Malware

·       FOR508 – Digital Forensics, Incident Response & Threat Hunting

·       FOR572 – Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

·       FOR578 – Cyber Threat Intelligence

·       FOR526 – Memory Forensics In-Depth

·       FOR518 – Mac and iOS Forensic Analysis and Incident Response

·       MGT517 – Managing Security Operations: Detection, Response, and Intelligence

3.    All courses will be taught by SANS’s best DFIR instructors. Stay tuned for more information on the courses we’re offering at the conference in a future article post.

4.     Rub elbows and network with DFIR pros at evening events, including networking gatherings and receptions. On the first night of the Summit, we’re going to gather at one of Austin’s newest entertainment venues, SPiN, a ping pong restaurant and bar featuring 14 ping pong tables, lounges, great food, and drinks. Give your overloaded brain a break after class and join us at our SANS Community Night, Monday, June 9 at Speakeasy. We will have plenty of snacks and drinks to give you the opportunity to network with fellow students.

5.     Staying to take a DFIR course after the two-day Summit? Attend SANS@Night talks guaranteed to enrich your DFIR training experience with us. Want to know about threat detection on the cheap and other topics? As for cheap (and in this case, that doesn’t mean weak), there are actions you can take now to make threat detection more effective without breaking the bank. Attend this SANS@Night talk on Sunday evening to learn some baselines you should be measuring against and how to gain visibility into high-value actionable events that occur on your systems and networks.

6.     Celebrate this year’s Ken Johnson Scholarship Recipient, who will be announced at the Summit. This scholarship was created by the SANS Institute and KPMG LLP in honor of Ken Johnson, who passed away in 2016. Early in Ken’s digital forensics career, he submitted to a Call for Presentations and was accepted to present his findings at the 2012 SANS DFIR Summit. His networking at the Summit led to his job with KPMG.

7.     Prove you’ve mastered the DFIR arts by playing in the DFIR NetWars – Coin Slayer Tournament. Created by popular demand, this tournament will give you the chance to leave Austin with a motherlode of DFIR coinage! To win the new course coins, you must answer all questions correctly from all four levels of one or more of the six DFIR Domains: Windows Forensics & Incident Response, Smartphone Analysis, Mac Forensics, Memory Forensics, Advanced Network Forensics, and Malware Analysis. Take your pick or win them all!

 

8.     Enjoy updated DFIR NetWars levels with new challenges. See them first at the Summit! But not to worry, you will have the opportunity to train before the tournament. You’ll have access to a lot of updated posters that can serve as cheat sheets to help you conquer the new challenges, as well as the famous SIFT WorkStation that will arm you with the most powerful DFIR open-source tools available. You could also choose to do an hour of crash training on how to use some of our Summit sponsors’ tools prior to the tournament. That should help give you an edge, right? That new DFIR NetWars coin is as good as won!

9. The Forensic 4:cast Awards winners will be announced at the Summit. Help us text2985celebrate the achievements of digital forensic investigators around the world deemed worthy of the award by their peers. There is still time to cast your vote. (You may only submit one set of votes; any additional voting will be discounted). Voting will close at the end of the day on May 25, 2018.

10.  Come see the latest in tools offered by DFIR solution providers. Summit sponsors and exhibitors will showcase everything from managed services covering advanced threat detection, proactive threat hunting, and accredited incident response to tools that deliver rapid threat detection at scale, and reports that provide insights for identifying potential threats before they cause damage.

11.  Last but not least, who doesn’t want to go to Austin?!? When you think Austin, you think BBQ, right? This city isn’t just BBQ, Austin has amazing food everywhere and there’s no place like it when it comes to having a great time. The nightlife and music include the famous 6th Street – which, by the way, is just walking distance from the Summit venue. There are many other landmarks such as Red River, the Warehouse District, Downtown, and the Market District. You will find entertainment of all kinds no matter what you’re up for. Nothing wrong with some well-deserved play after days full of DFIR training, lectures, and networking!

As you can see, this is an event you do not want to miss! The SANS DFIR Summit and Training 2018 will be held at the Hilton Austin. The event features two days of in-depth digital forensics and incident response talks, nine SANS DFIR courses, two nights of DFIR NetWars, evening events, and SANS@Night talks.

The Summit will be held on June 7-8, and the training courses run from June 9-14.

We hope to see you there!

Automated Hunting of Software Update Supply Chain Attacks

 

Software that automatically updates itself presents an attack surface, which can be leveraged en masse through the compromise of the vendor’s infrastructure. This has been seen multiple times during 2017, with high profile examples including NotPetya and CCleaner.

Most large organisations have built robust perimeter defences for incoming and outgoing traffic, but this threat vector is slightly different and far more difficult to detect. Update packages are often deployed in compressed, encrypted or proprietary formats and would not easily be subject to an antivirus scan or sandbox analysis during transit. This leaves us with a large number of trusted processes within our infrastructure that could turn on us at any time and download something evil, which could potentially be undetectable by endpoint antivirus software.

It would be almost impossible to detect all potential malicious code changes, as they could be as simple as changing a single assembly instruction from JNZ to JZ to allow for unauthorised access or privilege escalation to occur. However, this doesn’t prevent some additional proportionate due diligence on the update package being pulled down and installed.

 

Methodology for discovering inbound evil updates

1. Discover all the software across your estate that could be auto updating
Let us consider for a moment software that automatically updates, and how it looks on the endpoint. Firstly, it needs to open an internet connection to a server that will allow it to identify whether the version currently running is up to date, or whether there is a newer version available. This may occur when the process is first executed or at intervals (set dates or times or even randomly). If the version is current then it will try again later, mostly likely connecting to the same server and repeating the process of checking the version numbers. The traffic volume on each occasion is likely to be very small, after all, all that it needs to ask is “what is the current version number?” and the reply need only be “1.0.32” or similar.

If we put these components together we can build a search for a process, other than a browser (to reduce the noise), which makes repetitive connections to the same server on multiple occasions. We can further refine by looking for low volume traffic in the transmissions. This data may contain false positives such as the checking of licence validation, however this doesn’t matter as we will refine this further in the next stages.
2. Monitor traffic ratios for evidence of updates being downloaded
Once we have a list of processes, devices and servers that have displayed the behaviour from our discovery phase, we can now monitor the traffic volume ratios for abnormal behaviour. Consider a process that had been polling the same server with 5KB uploads followed by 50KB downloads for the past month when suddenly the volume of the download changes to 300MB. It would be a clear outlier based on volumes and upload/download ratios.
3. Perform automated sandbox analysis on detected binaries post update
Now we’re looking for a suspicious update, not just any update, so we can send the installer from the endpoint to an internal sandbox for analysis. Alternatively, we could trigger the same update to occur within a sandbox running our gold image. The sandbox would perform a behavioural analysis, which we would use to highlight any suspicious behaviour during, or after the update process takes place.
4. Alert CERT for further examination should there be evidence of anything suspicious
This can then feed the alerting system used by our SOC/CERT for a manual review and prompt containment activity should the updates contain malware – at this point the number of machines that have pulled the update should be small and we can prevent further infections through proxy blocks etc.

 

Demonstration of concept

Here we will demonstrate the concept by conducting a deep dive into the behavior of the Notepad++ update process. We begin by identifying the polling between the process and update server. We can see from Process Monitor below that the traffic volumes are low, and the upload / download ratio is relatively similar, approximately 1:11 when there is no update to be downloaded.

_4

Now let’s have a look at what happens when there is an update available.

_1

We can see the difference when there is an update to be pulled, in this case the download volume is significantly higher than the upload as we would expect, in fact it’s over 673 times higher at 1:7756.

_2

In addition, following the network activity we can see that a process launch has been identified. This is the start of the update installation and provides us details on the location of the update binary.  At this point we can take the desired action to review the file, this may include a local scan or better yet, uploading the binary to an internal sandbox for behavioural analysis to take place – this would give us the added benefit of detecting a threat before the antivirus signatures are available.

_3

 

Practicalities and further ideas

In a large network there is going to be a lot of noise and you may want to select the top 50 auto updating processes that are most widely utilised across the estate and focus on them. This way you can be more selective about the alerts that go to your SOC.

Some processes may update on the fly using hot patching, in which case better results would be obtained from the creation of a custom image for your sandbox with all of these processes installed, so there would be no need to send/pull binaries and you could monitor the entirety of the update process taking place, including all files dropped to disk and executed during the update.

Feedback and ideas are always welcome!

Happy hunting

-Adam (Twitter: @CyberKramer)

Uncovering Targeted Web-Based Malware Through Shapeshifting

Targeted Web-Based Malware?

Malware authors are frequently observed leveraging server side scripting on their infrastructure to evade detection and better target their attacks. This includes both exploit kits and servers hosting secondary stage payloads, all of which can easily be set up to alter their responses based on the footprint of the visitor. This could include geolocation of the IP address visiting the site if the attacker is targeting users from a particular country or region, or perhaps user-agent if they are only focused on certain browsers or operating systems. Without access to the source code leveraged on the server, it is difficult to detect whether it would alter its behaviour if you were visiting from a different device or location, and therefore malware analysts may find themselves declaring a link benign, or that the payload server is down, when in fact, it is only presenting that way to the analyst in question.

Got an example?

An example of this can be seen in the Malwarebytes blog on Magnitude exploit kit which details that  “…users are inspected at a ‘gate’ that decides whether or not they should be allowed to proceed to Magnitude EK. This gate, which has been nicknamed ‘Magnigate’ by Proofpoint, performs additional checks on the visitor’s IP address and user-agent to determine their geolocation, Internet Service Provider, Operating System and browser information…”

Hmm, so what can I do?

There is of course a balance here, even if you have access to VPN software, which allows you to select the country you want to appear from, it would be extremely time consuming and cumbersome to iterate through all of the available countries, each time using different browsers and painstakingly looking to identify whether there was any variation in the responses.

To aid in this task, I have written a new tool which automates this whole process and may be useful during malware analysis if you suspect the server is hiding something from you.

It works as follows –

  1. Loads a list of countries and user-agents that you want to appear from
  2. Leverages a proxy listing website’s API to obtain various country proxies
  3. Verifies that the proxies are working, and that the geolocation is per requirements
  4. Connects to the server using the proxy and iterates through all of the user-agents requesting the site multiple times
  5. Identifies any results which are different from the control value and highlights to the analyst

Demonstration

I’ve uploaded a number of test documents to my webserver, which you are welcome to use for your testing:

adamkramer.uk/browser-test.php & adamkramer.uk/browser-test-404.php

Both of these do the same thing – they wait until they observe someone connecting from a Chinese IP address with an iPhone user-agent before presenting the main content. The first URL will return a result in all other circumstances stating “Go away”, and the second will return a 404 error unless the conditions are met.

404_script_screenshot

The screenshot below shows the script iterating through various user-agents whilst connected to a Chinese proxy. In each case we can see the result was a 404 until the iPhone user-agent was sent, after which the script presented a ‘diff’ style output on what was different about this case.

China-iPhone

Great! Where can I get it?

The script was written in Python (v3.x) and is available from Github here.

Please feel free to use / fork / enhance / provide feedback.

 

Happy analysing!

-Adam (Twitter: @CyberKramer)

 

Coin Check: Win the challenge, join the elite list of lethal forensicators & take home a brand new DFIR challenge coin!

forensics_coin (1)Hundreds of SANS Institute digital forensics students have stepped up to the challenge and conquered. They’ve mastered the concepts and skills, beat out their classmates, and proven their prowess. These are the elite, the recipients of the SANS Lethal Forensicator Coin, an award given to a select portion of the thousands of students that have taken any of the SANS Institute Digital Forensics or Incident Response (DFIR) courses. Now, the institute is expanding the opportunity for students to earn these highly coveted tokens in each of the SANS DFIR courses.

Thanks to an effort led by curriculum lead Rob Lee & the SANS DFIR faculty, students can now win specific SANS Lethal Forensicator Coins designed to go with each of the DFIR course themes. These coins are tailored to be icons and the precious prizes to be won by students as a proof and symbol of their mastery in a specific digital forensics specialty.

New DFIR course challenge coins available now:

500FOR500: Windows Forensic Analysis

“Ex Umbra in Solem”: From the Shadows into the Light
In today’s digital world, forensics plays a critical role in uncovering the truth. Forensic examiners shine light on the facts of the case, making good decisions possible. And the forces of evil unceasingly develop new ways to hide their activities, forcing us to continually improve our skills to counter them.

508FOR508: Advanced Digital Forensics, Incident Response & Threat Hunting

“Non Potestis Celare”: You  cannot hide
The most successful incident response teams are evolving rapidly due to near-daily interaction with adversaries. New tools and techniques are being developed, providing better visibility and making the network more defensible. Adversaries can no longer hide.

610FOR610: Reverse-Engineering Malware

“R.E.M”: Reverse-Engineering Master

Today,  attackers are modifying their malware with increasing frequency to bypass antivirus and other endpoint controls. Through reverse-engineering Malware (R.E.M) Analysis Masters can isolate the most appropriate Indicators of Compromise (IOCs) to stop & identify malware.

585FOR585: Advanced Smartphone Forensics

“Omnis Tactus Vestigium Relinquit”:  Every contact leaves a trace
Knowing how to recover all of the data residing on the smartphone is now an expectation in the digital forensics field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. There are traces of evidence hiding on the device, and you know how to uncover them.

572FOR572: Advanced Network Forensics Analysis

“Malum Loquitur, Bonum Auscultat”: Evil must talk, so good must listen

Network Forensic professionals are hunters with great visibility, who can find a target among a mass of camouflaging data. Wisdom, experience, and stealth are all embodied by the owl’s watchful, unwavering eye, seeking its prey under the cover of darkness. No matter how crafty an adversary may be, their communications will allow the hunter to find, identify, and ultimately eliminate their presence.

518FOR518: Mac Forensics

“Impera magis. Aliter cogita”: Command more and think differently.

Apple users have always thought differently and that goes for Apple forensicators too. The analysts who hold this coin take command of their forensic analysis and appreciate looking at the raw data and interpreting it correctly without the necessity of superfluous tools. Knowing where you came from can help you move forward, this is where the hat tip to the original colored Apple logo comes in. New artifacts are presented to analysts in every OS update, the knowledge of historic elements may provide insight.

FOR578_coinFOR578: Cyber Threat Intelligence

“Hominem unius libri timeo”: I fear the man of one book.

FOR578 is all about developing analytical skills. To think critically and expand our views which is a skill that applies to any security profession. The quote is attributed to Thomas Aquinas and despite the common use of the phrase (which is meant to deride the person who is not well studied across multiple subjects) the original meaning was to state that a person who understood one good book well could defeat their opponent. Thus, this phrase can be interpreted two entirely different ways. Both are about self-education and broadening our views on the world.

FOR526_coinFOR526: Memory Forensics In-Depth

“Cur mihi oculi dolent?” Why do my eyes hurt?

Memory forensics reveals deeper insights into the state of a compromised system and stands as the best source for detection of malware and OS/process manipulation/subversion. These analysis methods reveal key evidence which may not be uncovered through querying the operating system or digging through network packets. This quote comes from the original Matrix movie, a question Neo asks of Morpheus when he first wakes from his life in the artificial reality created by sentient machines. It is this awakening and raw view of reality that we as forensic examiners/incident responders strive to achieve through deeper analysis of system memory.

 

Netwars DFIR Netwars

Staying up-to-date with the latest challenges in the digital forensics field demand analytical skills that cannot be gained by just reading a textbook. Just like firemen could never learn the skills of how to fight a fire by just studying theory, incident responders, threat hunters, and digital forensic investigators can test their skills with DFIR Netwars.

New DFIR Challenge coin back design:

BackThe challenges for each course are held on the last day. Students must successfully overcome a number of obstacles, directly compete against fellow students, and prove their proficiency during timed, hands-on incidents. The obstacles, competitions and hands-on scenarios have been created by SANS’ top instructors – digital forensics practitioners, subject matter experts, experienced teachers and professional leaders in their own right. At the end of the challenge, the instructor announces the winner(s) who are awarded the coins at the end of the 6th day of class and winners are later on listed on the SANS Institute’s virtual wall of Lethal Forensicator Coin Holders.

 

History of the SANS Challenge coins:

The coin – more precisely, Round Metal Object (RMO) – was initially created to recognize students who demonstrate exceptional talent, contributions, or who serve as leaders in the digital forensics profession and community. The coin is meant to be an honor; it is also intended to be rare. SANS Institute uses the coins to identify and honor those who excel at detecting and eradicating threats, understand the critical importance of cybersecurity and continually strive to further not only their knowledge but also the knowledge of the entire digital forensics field. They actively share their experience and encourage learning through participation in the community and are typically leaders in the digital forensics and incident response community.

Those who are awarded the Lethal Forensicator are also bestowed special privileges and recognition, including participation in the so-called and well-regarded “coin check” challenge and response.

“Coin check” Challenge:

Initiated by one coin holder to another, a coin check typically begins by a challenger holding his or her coin in the air or slamming it on a table and yelling “coin check!” All who are challenged must respond by showing their coins to the challenger within 10 seconds, and whoever fails to do so must buy everyone a round of drinks. If all the challenged coin holders do produce their coin, the challenger must by the round of drinks. (By the way, if you accidentally drop your coin and it makes an audible sound on impact, then you’ve “accidentally” initiated a coin check. And, there are no exceptions to the rules!)

Coin checks aside, there are other ways to win the DFIR Challenge coins besides being an exceptional DFIR student and winning the classroom challenges. Each GOLD GCFA, GREM, GCFE member that has written a published white paper that has furthered the field of research in the Digital Forensics field receives a coin, as do SANS Digital Forensics Blog authors who have written six published entries over a one-year span. In addition, speakers and panelists who participate at a SANS Digital Forensic Summit are awarded coins (vendors and vendor-related speakers are not eligible). Finally, any coin holder can nominate an individual in the digital forensics field who has contributed knowledge, tools or service.

For more information on our SANS DFIR courses, please visit our Forensics Courses list. And to read more about the coin and the history of the term “Forensicator,” check out our Community – Lethal Forensicator Coin page.

Webcast Summary: New SANS Cheat Sheet: A Guide to Eric Zimmerman’s Command Line Tools

 

Thank you for attending the SANS New Cheat Sheet: “A Guide to Eric Zimmerman’s Command Line Tools” webcast.

For webcast slides and recording visit: http://www.sans.org/u/raj

Capture

To download the Cheat Sheet visit: http://digital-forensics.sans.org/u/rao

To download Eric’s Command line tools visit: https://ericzimmerman.github.io/

 

In this webinar, Eric covered several tools that can be used to show evidence of execution as well as document creation and opening. He also provided an overview of bstrings and Timeline Explorer and provided demonstrations of how those tools can be used to add value to investigations.  Here is a webcast summary:

Timeline Explorer

Timeline Explorer allowed us to load one or more CSV or Excel files into a common interface and apply advanced sorting, filtering, and conditional formatting rules to our data.

Several useful shortcuts include:

CTRL-t: Tag or untag selected rows

CTRL-d: Bring up the Details window for super timelines

CTRL-C: Copy the selected cells (with headers) to the clipboard. Hold SHIFT to exclude the column header

Graphic 1

Evidence of execution programs

AppCompatCacheParser, AmcacheParser, and PECmd parse forensic artifacts related to evidence of execution.

AppCompatCacheParser extracts shimcache data from each ControlSet found in the SYSTEM Registry hive and exports them to CSV format.

Graphic 2

AmcacheParser extracts file and program information from the Amcache.hve hive to CSV format.

graphic 3

PECmd processes Windows prefetch files and extracts information such as the total number of times a program was run and up to the last 8 times a program was executed. Prefetch files also track the files and directories a program referenced when it was run.

Graphic 4

Lnk file internals

We started exploring lnk files by looking at the header and unpacking what each piece of the header meant and how to process it.

graphic 5

From here we looked at each of the structures present based on the data flags section of the header, including the Target Id lists. The raw target Id lists looked like this:

graphic 6

 

And once we processed and decoded each one, we end up with this:

grpahic 7

Document creation and opening programs

Now that we had a decent understanding of the internals of lnk files, we took a look at several tools to extract data from these valuable forensic artifacts.

LECmd and JLECmd process lnk files and jump lists and displays information related to the document opened such as the target documents created, modified, and last accessed time stamps, the volume serial number and type of drive, target Id lists, and more.

LECmd fully supports decoding all available structures including embedded shell items. It also added additional functionality like calculating the absolute path of the target file based on the shell items in the target Id list. Finally, LECmd resolved MAC addresses to the vendor based on an internal lookup table included with LECmd.

graphic 8

 

JLECmd provides the same data extraction capabilities as LECmd, but in the context of the lnk files being wrapping in another data structure.

In the case of custom destinations jump lists, this wrapping structure was merely a file that contained one or more concatenated lnk files.  Automatic destinations jump lists used an OLE CF container to track embedded lnk files.

JLECmd allows for dumping of all embedded lnk files which in turn allows for those lnk files to be analyzed with any lnk parsing tool.

graphic 9

Other tools

Finally, we took a look at bstrings and saw many examples of how to extract email addresses, URLs, UNC paths, and more from a given file using built in regular expressions. We also discussed how to extract strings from any code page and how to limit the amount of data returned by bstrings.

graphic 10

I hope you enjoyed the webinar and get much use out of the tools in your investigations.

Thank you again for attending! Feel free to reach out via twitter for feedback or questions

About the author:

INV_EricZimmerman2017_1200x1800_cEric serves as a Senior Director at Kroll in the company’s cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner’s Guide, and has created many world-class, open-source forensic tools free to the DFIR Community.

 

DFIR Summit 2017 – CALL FOR PRESENTATIONS

 

Call for Presentations Now Open!

 

dfirsummit 2017Submit your proposal here: http://dfir.to/DFIR-CFP-2017
Deadline: January 16th at 5pm CT

 

The 10th Annual Digital Forensics and Incident Response Summit Call for Presentations is open through 5 pm EST on Monday, January 16, 2017. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Check out some of the DFIR Summit 2016 talks:

Capture

We are looking for Digital Forensics and Incident Response Presentations that focus on:

  • DFIR and Media Exploitation case studies hat solve a unique problem
  • New Forensic or analysis tools and techniques
  • Discussions of new artifacts related to smartphones, Windows, and Mac platforms
  • Focusing on improving the status quo of the DFIR industry by sharing novel approaches
  • Challenges to existing assumptions and methodologies that might change the industry
  • New, fast forensic techniques that can extract and analyze data rapidly
  • Focus on Enterprise or scalable forensics that can analyze hundreds of systems instead of one at a time

 

Digital Forensics & Incident Response (DFIR) Summit Social Media Ambassadors

 

CiBHBd2WEAErK30The SANS DFIR Summit team is looking for Social Media Ambassadors

Are you a social media influencer in the DFIR space?
We are looking for you!

The SANS DFIR  Summit Team is looking for two social media rock stars that can share their DFIR Summit experiences onsite and provide a post-summit event analysis.  The ideal individuals will show the world why this event is very unique, fun, and downright awesome for others to attend.  If this sounds like something you would like to do, then submit your entry and help us spread the word!

If you are selected you will have the opportunity to attend the Summit, June 23-24, 2016, with social media credentials at NO COST*

Apply today by sending an email to summitsocial@sans.org by June 1st, 2016 with the following information:

  • Your name, Company, and job title.
  • Your twitter, Facebook, LinkedIn, and any other relevant social media profiles.
  • Why you qualify to be our #DFIRSummit Social Media Ambassador.

Those selected will have the opportunity to:

  • Participate in the two day DFIR Summit sessions, interact with exhibitors and network with attendees and industry experts
  • Serve a critical role in sharing discussions and lessons learned from DFIR Summit speakers.
  • Meet and interact with representatives from SANS and the DFIR community.
  •  Receive a DFIR Lethal Forensicator coin

Please note: This program is designed for individuals, not PR/communications representatives, to join and add value to the social conversation around Digital Forensics & Incident Response issues.

*Social Media Ambassadors are responsible for their own expenses for travel, accommodations, and other amenities.

DFIR Summit 2016 – Call for Papers Now Open

FullSizeRender

The 9th annual Digital Forensics and Incident Response Summit will once again be held in the live musical capital of the world, Austin, Texas.

The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.

Call for Presentations- Now Open
More information 

The 9th Annual Digital Forensics and Incident Response Summit Call for Presentations is now open. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Deadline to submit is December 18th, 2015.

Summit Dates: June 23 & 24, 2016
Post-Summit Training Course Dates: June 25-30, 2016

Submit now 

Call For Presenters — DFIR Prague 2015 #DFIRPrague

DFIR_B2.1_newicon

Submit your submissions to dfireuropecfp@sans.org by 5 pm BST on 1 June, 2015 with the subject “SANS DFIR Europe Summit.”

Dates:

  • Summit Date: – 11 October, 2015
  • Pre-Summit Training Course Dates: 5-10 October, 2015
  • Post-Summit Training Course Dates: 12-17 October, 2015
Summit Venue:

SANS’ annual dedicated Digital Forensics and Incident Response (DFIR) Summit & Training event returns for 13 days of intensive training and excellent networking opportunities.

The Summit brings together DFIR practitioners who share their experiences, case studies and stories from the field. Summit attendees will explore real-world applications of technologies and solutions from all aspects of the fields of digital forensics and incident response.

Call for Speakers- Now Open

DFIR Europe Summit Call for Speakers is now open. If you are interested in presenting or participating on a panel, we’d be delighted to consider your practitioner-based case studies with communicable lessons.

The DFIR Europe Summit offers speakers the opportunity for exposure and recognition as industry leaders. If you have something substantive, challenging, and original to offer, you are encouraged to submit a proposal.

Submit your submissions to dfireuropecfp@sans.org by 5 pm BST on 1 June, 2015 with the subject “SANS DFIR Europe Summit.”

Benefits of Speaking

  • Promotion of your speaking session and company recognition via the DFIR Summit website and all printed materials
  • Visibility via the DFIR post-Summit on the SANS DFIR Website
  • Full conference badge to attend all Summit sessions
  • Speakers can bring 1 additional attendee for free to attend the summit
  • *Presentations may also be recorded and made available via the Internet to a wider audience (at the discretion of SANS).

Submission Requirements

  • Title of Proposed Talk
  • Abstract
  • The presentation abstract should outline your presentation and what attendees will All content must be strictly educational. The presentation should be relevant to: Digital Forensics Examiners, Media Exploitation Analysts, Legal, Incident Response Teams, Security Operations and Law Enforcement professionals.
  • Author Name(s)
  • Author Title
  • Company
  • Speaker Contact Information: Address, phone number, email address
  • Biography
  • Your biography should be approximately 150 You may include your current position, titles, areas of professional expertise, experience, awards, degrees, personal information, etc.
  • Twitter Handle:
  • Google+:
  • Facebook:
  • Blog:
  • YouTube videos featuring you speaking

Session/panel length: 45-60 minutes Presentation: 40-45 minutes Question & Answer: 5-10 minutes

Submit your submissions to dfireuropecfp@sans.org by 5 pm BST on 1 June, 2015 with the subject “SANS DFIR Europe Summit.”