If you discovered a compromised machine on your network, you’d think that the best course of action would be to pull the cord and power that machine off, right… ?
In fact, this is one of the worst things you can do. Here’s why
Most modern types of attack are volatile memory resident. This not only makes the processing much faster, but more importantly, memory based forensic capabilities are lost if the affected system is powered off. As an example, the memory contains processes that are running at the time the machine’s operating system is active, along with a myriad of other extremely detailed information which is very useful in determining what the underlying operating system was doing at the time. If this did happen, your best course of action would be to remove the disk from the system and connect it to an external USB drive for imaging via a “FastBloc” (essentially, a write-blocker to prevent modification of files). Do not power the system back on. Doing so will alter the date and time stamps of files, further negating the forensic ability, and effectively “compromising the crime scene”.
Secure the crime scene
As “NCSI” as this sounds, it’s actually a very valid point. In instances where you suspect a breach or compromised system, a far better decision would be to disconnect the network cable, or perhaps better (if you need remote access), place the switch port where the machine is connected into a limited VLAN that is unable to access the internet, and can only access the forensic network – leave the power on. This is vital as the first part of your forensic process after securing the scene and isolating the environment. Also remember to keep a detailed log of every step of the analysis, as this is invaluable further down the line as a timeline of events – you should also record anyone entering or leaving the area where the infected machine resides, as this may have an impact on the integrity of any such evidence collected.
Once you discover a compromised system, you should
- Work backwards from the discovery date and collect evidence.
- Keep detailed logs including dates and times of all related activities and occurrences during the forensic recovery
- Ensure that you track any activity that may alter the results of the collection, or change the course of the investigation
- Retain and update a detailed log that can be referred to later down the line.
- Commence the forensic analysis as detailed below
Isolate the system
At this point, only approved staff should now have physical access to the affected machine. Once the system is isolated, use an application such as FTK Imager to take a copy of the current processes in RAM and also a complete dump of the disk. You should decide at this point if you need just the partition, or the entire disk. Bear in mind that any deleted files will be placed in unallocated space on the physical disk, and will not be included in the partition dump. Additionally, you should also use FTK Imager to obtain a copy of protected system files – these include the registry hives, user password hashes, and user profiles. You should also obtain a copy of the system pagefile, as this will also contain a wealth of information – let’s not forget that as the RAM starts to fill on a system, it will begin writing the overflow into the pagefile. This file is non-volatile, and will survive if the system is powered off – however, it will only contain what was written out of memory, and not the entire picture. The disk image can then be mounted as another volume on a windows PC for further offline analysis.
You should also consider the use of RegRipper. This tool, written in PERL, is possibly the fastest, easiest, and best tool for registry analysis in forensic examinations. This utility has been downloaded over 5000 times and used by examiners everywhere. Failing that, there is also ProcDump, which is a Microsoft utility here. Incidentally, ProcDump (like MimiKatz) can also extract passwords from memory, but you’d need the LSASS.EXE processes first.
You should also consider the use of Hibr2Bin – a tool created to extract forensic information from the Windows Hibernation File. However, you should note that on systems where the Page File is cleared on shutdown, this would be ineffective as it effectively destroys the hibernation file. In reality, it’s another reason as to why you wouldn’t power the infected machine off.
If you still have access to the actual compromised system, further analysis can be performed using SANS SIFT. This tool is based on a bootable Ubuntu distribution, and has an array of forensic capabilities.
The SANS Investigative Forensic Toolkit (SIFT) includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of
- Expert Witness Format (E01)
- Advanced Forensic Format (AFF)
- RAW (dd) evidence formats.
SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, plus several other useful utilities.
The Plaso (previously known as log2timeline) tool can parse various log files and forensic artefacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on a most average computer systems.
With these tools, it is then perfectly possible to build a detailed timeline and forensic footprint. This provides an insight as to what the attack vectors where, what systems were breached in the process, and more importantly, a frozen in time snapshot of the processes in memory. This data is invaluable when piecing segmented and disparate information together to in order to establish what happened where, when, and to whom. It is also imperative for your regulatory requirements where your organisation will be expected to provide a detailed analysis of the discovered attack when requested.
The information that forensic analysis can provide cannot be measured in cost – it is priceless. The faster you respond in obtaining as much information from a breached system, the more information you will have in determining origin and vectors. Remember to keep your Golden Master copies of memory dumps, disk / partition images etc in secured storage to avoid tampering, and only work on copies of the original files recovered. Have a look here for many other free tools that are perfect for obtaining detailed information
The last thing anyone wants is to not have a detailed analysis or be able to provide a response to a breach. Stop and think before you power off that system – 5 seconds now can save you $5m later in fines 🙂