The hardware for IR and Jump Bag

Certainly, a set of equipment that may be required during the processing of the incident should be prepared in advance, and this matter should be given much attention. This set is called the Jump Bag.

The formation of such a kit is largely due to the budget the organization could afford. Nevertheless, there is a certain necessary minimum, which will allow the team to handle incidents in small quantities.

If the budget allows it, it is possible to buy a turnkey solution, which includes all the necessary equipment and the case for its transportation. As an instance of such a solution, FREDL + Ultra Kit could be recommended. FREDL is short for Forensic Recovery of Evidence Device Laptop. With Ultra Kit, this solution will cost about 5000 USD.

Ultra Kit contains a set of write-blockers and a set of adapters and connecters to obtain images of hard drives with a different interface:

Note

More details can be found on the manufacturer's website at https://www.digitalintelligence.com/products/ultrakit/.

Certainly, if we ignore the main drawback of such a solution, this decision has a lot of advantages as compared to the cost. Besides this, you get a complete starter kit to handle the incident. Besides, Ultra Kit allows you to safely transport equipment without fear of damage.

Note

The FRED-L laptop is based on a modern hardware, and the specifications are constantly updated to meet modern requirements. Current specifications can be found on the manufacturer's website at http://www.digitalintelligence.com/products/fredl/.

However, if you want to replace the expensive solution, you could build a cheaper alternative that will save 20-30% of the budget. It is possible to buy the components included in the review of decisions separately.

As a workstation, you can choose a laptop with the following specifications:

• Intel Core i7-6700K Skylake Quad Core Processor, 4.0 GHz, 8MB Intel Smart Cache
• 16 GB PC4-17000 DDR4 2133 Memory
• 256 GB Solid State Internal SATA Drive
• Intel Z170 Express Chipset
• NVIDIA GeForce GTX 970M with 6 GB GDDR5 VRAM

This specification will provide a comfortable workstation to work on the road.

Note

As a case study for the transport of the equipment, we recommend paying attention to Pelican (http://www.pelican.com) cases. In this case, the manufacturer can choose the equipment to meet your needs.

One of the typical tasks in handling of incidents is obtaining images from hard drives. For this task, you can use a duplicator or a bunch of write-blockers and computer.

Duplicators are certainly a more convenient solution; their usage allows you to quickly get the disk image without using additional software. Their main drawback is the price. However, if you often have to extract the image of hard drives and you have a few thousand dollars, the purchase of the duplicator is a good investment.

If the imaging of hard drives is a relatively rare problem and you have a limited budget, you can purchase a write blocker which will cost 300-500 USD. However, it is necessary to use a computer and software, which we will discuss in later chapters.

To pick up the necessary equipment, you can visit http://www.insectraforensics.com, where you can find equipment from different manufacturers.

Also, do not forget about the hard drives themselves. It is worth buying a few hard drives with large volumes for the possibility of good performance.

To summarize, responders need to include the following items in a basic set:

• Several network cables (straight through or loopback)
• A serial cable with a serial USB adapter
• Network serial adapters
• Hard drives (various sizes)
• Flash drives
• A Linux Live DVD
• A portable drive duplicator with a write-blocker
• Various drive interface adapters
• A four port hub
• A digital camera
• Cable ties
• Cable snips
• Assorted screws and hex drivers
• Notebooks and pens
• Chain of Custody forms
• Incident handling procedure

Software

After talking about the hardware, we did not forget about the software that you should always have on hand. The variety of software that can be used in the processing of the incident allows you to select software-based preferences, skills, and budget. Some prefer command-line utilities, and some find that GUI is more convenient to use.

Sometimes, the use of certain tools is dictated by the circumstances under which it's needed to work.

Some utilities will be discussed in further sections and later chapters. However, we strongly recommend that you prepare these in advance and thoroughly test the entire set of required software.

Live versus mortem

The initial reaction to an incident is a very important step in the process of computer incident management. The correct method of carrying out and performing this step depends on the success of the investigation.

Moreover, a correct and timely response is needed to reduce the damage caused by the incident.

The traditional approach to the analysis of the disks is not always practical, and in some cases, it is simply not possible.

In today's world, the development of computer technology has led to many companies having a distribution network in many cities, countries, and continents. Wish this physical disconnection of the computer from the network, following the traditional investigation of each computer is not possible.

In such cases, the incident responder should be able to carry out a prior assessment remotely and as soon as possible, view a list of running processes, open network connections, open files, and get a list of registered users in the system. Then, if necessary, carry out a full investigation.

In this chapter, we will look at some approaches that the responder may apply in a given situation. However, even in these cases when we have physical access to the machine, live response is the only way of incident response.

For example, cases where we are dealing with large disk arrays. In this case, there are several problems at once. The first problem is that the space to store large amounts of data is also difficult to identify. In addition to this, the time that may be required to analyze large amounts of data is unreasonably high.

Typically, such large volumes of data have a highly loaded server serving hundreds of thousands of users, so their trip, or even a reboot, is not acceptable for business.

Another scenario that requires the Live Forensics approach is when an encrypted filesystem is used. In cases where the analyst doesn't have the key to decrypt the disc, Live Forensics is a good alternative to obtain data from a system where encryption of the filesystem is used.

This is not an exhaustive list of cases when the Live Analysis could be applicable.

It is worth noting one very important point. During the Live Analysis, it is not possible to avoid changes in the system.

Connecting external USB devices or network connectivity, user log on, or launching an executable file will be modified in the system in a variety of log files, registry keys, and so on. Therefore, you need to understand what changes were caused by the actions of responders and document them.

Volatile data

Under the principle of "order of Volatility", you must first collect information that is classified as Volatile Data (the list of network connections, the list of running processes, log on sessions, and so on), which will be irretrievably lost in case the computer is powered off.

Then, you can start to collect nonvolatile data, which can also be obtained with the traditional approach in the analysis of the disk image. The main difference in this case is that a Live Forensics set of data is easier to obtain with a working machine.

The process of obtaining a memory dump and a disk image as well as their analysis is described in detail in other chapters. This chapter will focus on the collection of Volatile data.

Typically, this category includes the following data:

• System uptime and the current time
• Network parameters (NetBIOS name cache, active connections, the routing table, and so on).
• NIC configuration settings
• Logged on users and active sessions
• Loaded drivers
• Running services
• Running processes and their related parameters (loaded DLLs, open handles, and ownership)
• Autostart modules
• Shared drives and files opened remotely

Recording the time and date of the data collection allows you to define a time interval in which the investigator will perform an analysis of the system:

(date / t) & (time / t)>%COMPUTER_NAME% \ systime.txt
systeminfo | find "Boot Time" >>% COMPUTERNAME% \ systime.txt

The last command allows you to show how long the machine worked since the last reboot.

Using the %COMPUTERNAME% environment variable, we can set up separate directories for each machine in case we need to repeat the process of collecting information on different computers in a network.

In some cases, signs of compromise are clearly visible in the analysis of network activity. The next set of commands allows you to get this information:

nbtstat -c> %COMPUTERNAME%\NetNameCache.txt
netstat -a -n -o>%COMPUTERNAME%\NetStat.txt
netstat -rn>%COMPUTNAME%\NetRoute.txt
ipconfig / all>%COMPUTERNAME%\NIC.txt
promqry>%COMPUTERNAME%\NSniff.txt

The first command uses nbtstat.exe to obtain information from the cache of NetBIOS. You display the NetBIOS names in their corresponding IP address. The second and third commands use netstat.exe to record all of the active compounds, listening ports, and routing tables.

For information about network settings, the ipconfig.exe network interfaces command is used.

The last block command starts the Microsoft promqry utility, which allows you to define the network interfaces on the local machine, which operates in promiscuous mode. This mode is required for network sniffers, so the detection of the regime indicates that the computer can run software that listens to network traffic.

To enumerate all the logged on users on the computer, you can use the Sysinternals tools:

psloggedon -x>%COMPUTERNAME% \ LoggedUsers.tx:
logonsessions -p >> %COMPUTERNAME%\LoggedOnUsers.txt

The PsLoggedOn.exe command lists both types of users, those who are logged on to the computer locally, and those who logged on remotely over the network. Using the -x switch, you can get the time at which each user logged on.

With the -p key, logonsessions will display all of the processes that were started by the user during the session.

It should be noted that logonsessions must be run with administrator privileges.

To get a list of all drivers that are loaded into the system, you can use the WDK drivers.exe utility:

drivers.exe>%COMPUTERNAME%\drivers.txt

The next set of commands to obtain a list of running processes and related information is as follows:

tasklist / svc>%COMPUTERNAME% \ taskdserv.txt
psservice>%COMPUTERNAME% \ trasklst.txt
tasklist / v>%COMPUTERNAME% \ taskuserinfo.txt
pslist / t>%COMPUTERNAME%\tasktree.txt
listdlls>%COMPUTERNAME%\lstdlls.txt
handle -a>%COMPUTERNAME%\lsthandles.txt

The tasklist.exe utility that is made with the / svc key enumerates the list of running processes and services in their context. While the previous command displays a list of running services, PsService receives information on services using the information in the registry and SCM database.

Services are a traditional way through which attackers can access a previously compromised system. Services can be configured to run automatically without user intervention, and they can be launched as part of another process, such as svchost.exe.

In addition to this, remote access can be provided through completely legitimate services, such as telnet or ftp. To associate users with their running processes, use the tasklist / v command key.

To enumerate a list of DLLs loaded in each process and the full path to the DLL, you can use listsdlls.exe from SysInternals.

Another handle.exe utility can be used to list all the handles, which are open processes. This handles registry keys, files, ports, mutexes, and so on.

Other utilities require run with administrator privileges. These tools can help identify malicious DLLs that were injected into the processes, as well as files, which have not been accessed by these processes.

The next group of commands allows you to get a list of programs that are configured to start automatically:

autorunsc.exe -a>%COMPUTERNAME% \ autoruns.txt
at>%COMPUTERNAME% \ at.txt
schtasks / query>%COMPUTERNAME% \ schtask.txt

The first command starts the SysInternals utility, autoruns, and displays a list of executables that run at system startup and when users log on. This utility allows you to detect malware that uses the popular and well-known methods for persistent installation into the system.

Two other commands (at and schtasks) display a list of commands that run in the schedule. To start the at command also requires administrator privileges.

To install backdoors mechanisms, services are often used, but services are constantly working in the system and, thus, can be easily detected during live response. Thus, create a backdoor that runs on a schedule to avoid detection. For example, an attacker could create a task that will run the malware just outside working hours.

To get a list of network share drives and disk files that are deleted, you can use the following two commands:

psfile>%COMPUTERNAME%\openfileremote.txt
net share>%COMPUTERNAME%\drives.txt

Nonvolatile data

After Volatile data has been collected, you can continue to collect Nonvolatile Data. This data can be obtained at the stage of analyzing the disk, but as we mentioned earlier, analysis of the disk is not possible in some cases.

This data includes the following:

• The list of installed software and updates
• User info
• Metadata about a filesystem's timestamps

Registry data

However, upon receipt of this data with the live running of the system, there are difficulties that are associated with the fact that many of these files cannot be copied in the usual way, as they are locked by the operating system. To do this, use one of the utilities. One such utility is the RawCopy.exe utility, which is authored by Joakim Schicht.

This is a console application that copies files off NTFS volumes using the low-level disk reading method.

The application has two mandatory parameters, target file and output path:

• -param1: This is the full path to the target file to extract; it also supports IndexNumber instead of file path
• -param2: This is a valid path to output directory

This tool will let you copy files that are usually not accessible because the system has locked them. For instance, the registry hives such as SYSTEM and SAM, files inside SYSTEM VOLUME INFORMATION, or any file on the volume.

This supports the input file specified either with the full file path or by its $MFT record number (index number).

Here's an example of copying the SYSTEM hive off a running system:

RawCopy.exe C:\WINDOWS\system32\config\SYSTEM %COMPUTERNAME%\SYSTEM

Here's an example of extracting the $MFT by specifying its index number:

RawCopy.exe C:0 %COMPUTERNAME%\mft

Here's an example of extracting the MFT reference number 30224 and all attributes, including $DATA, and dumping it into C:\tmp:

RawCopy.exe C:30224 C:\tmp -AllAttr

To download RawCopy, go to https://github.com/jschicht/RawCopy.

Knowing what software is installed and what its updates are helps further the investigation because this shows possible ways to compromise a system through a vulnerability in the software. One of the first actions that the attacker makes is to attack during a system scan to detect active services and exploit the vulnerabilities in them.

Thus, services that were not patched can be utilized for remote system penetration.

One way to install a set of software and updates is to use the systeminfo utility:

systeminfo > %COMPUTERNAME%\sysinfo.txt.

Moreover, skilled attackers can themselves perform the same actions and install necessary updates in order to hide the traces of penetration into the system.

After identifying the vulnerable services and their successful exploits, the attacker creates an account for themselves in order to subsequently use legal ways to enter the system. Therefore, the analysis of data about users of the system reveals the following traces of the compromise:

• The Recent folder contents, including LNK files and jump lists
• LNK files in the Office Recent folder
• The Network Recent folder contents
• The entire temp folder
• The entire Temporary Internet Files folder
• The PrivacyIE folder
• The Cookies folder
• The Java Cache folder contents

Now, let's consider the preceding cases as follows:

1. Collecting the Recent folder is done as follows:

   robocopy.exe %RECENT% %COMPUTERNAME%\Recent /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\Recent \log.txt
   

   Here %RECENT% depends on the version of Windows.

   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %RECENT% = %systemdrive%\Documents and Settings\%USERNAME%\Recent
     

   • For Windows 6.x (Windows Vista and newer):

     %RECENT% =%systemdrive%\Users\%USERNAME%\AppData\Roaming \Microsoft\Windows\Recent
     

2. Collecting the Office Recent folder is done as follows:

   robocopy.exe %RECENT_OFFICE% %COMPUTERNAME%\Recent_Office /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\Recent_Office\log.txt
   

   • Here %RECENT_OFFICE% depends on the version of Windows.
   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %RECENT_OFFICE% = %systemdrive%\Documents and Settings\%USERNAME%\Application Data\Microsoft\Office \Recent
     

   • For Windows 6.x (Windows Vista and newer), this is as follows:

     %RECENT% =%systemdrive%\Users\%USERNAME%\AppData\Roaming \Microsoft\Windows\Office\Recent
     

3. Collecting the Network Shares Recent folder is done as follows:

   robocopy.exe %NetShares% %COMPUTERNAME%\NetShares /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\NetShares\log.txt
   

   • Here %NetShares% depends on the version of Windows.
   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %NetShares% = %systemdrive%\Documents and Settings\%USERNAME%\Nethood
     

   • For Windows 6.x (Windows Vista and newer), this is as follows:

     %NetShares % =''%systemdrive%\Users\%USERNAME%\AppData \Roaming\Microsoft\Windows\Network Shortcuts''
     

4. Collecting the Temporary folder is done as follows:

   robocopy.exe %TEMP% %COMPUTERNAME%\TEMP /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\TEMP\log.txt
   

   • Here %TEMP% depends on the version of Windows.
   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %TEMP% = %systemdrive%\Documents and Settings\%USERNAME% \Local Settings\Temp
     

   • For Windows 6.x (Windows Vista and newer), this is as follows:

     %TEMP% =''%systemdrive%\Users\%USERNAME%\AppData \Local\Temp ''
     

5. Collecting the Temporary Internet Files folder is done as follows:

   robocopy.exe %TEMP_INTERNET_FILES% %COMPUTERNAME%\TEMP_INTERNET_FILES /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\TEMP\log.txt
   

   • Here %TEMP_INTERNET_FILE% depends on the version of Windows.
   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %TEMP_INTERNET_FILE% = ''%systemdrive%\Documents and Settings\%USERNAME%\Local Settings\Temporary Internet Files''
     

   • For Windows 6.x (Windows Vista and newer), this is as follows:

     %TEMP_INTERNET_FILE% =''%systemdrive%\Users\%USERNAME%\ AppData\Local\Microsoft\Windows\Temporary Internet Files"
     

6. Collecting the PrivacIE folder is done as follows:

   robocopy.exe %PRIVACYIE % %COMPUTERNAME%\PrivacyIE /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%/PrivacyIE/log.txt
   

   • Here %PRIVACYIE% depends on the version of Windows.
   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %PRIVACYIE% = ''%systemdrive%\Documents and Settings\%USERNAME%\ PrivacIE''
     

   • For Windows 6.x (Windows Vista and newer), this is as follows:

     %PRIVACYIE% =''%systemdrive%\Users\%USERNAME%\ AppData\Roaming\Microsoft\Windows\PrivacIE "
     

7. Collecting the Cookies folder is done as follows:

   robocopy.exe %COOKIES% %COMPUTERNAME%\Cookies /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\Cookies \.txt
   

   • Here %COOKIES% depends on the version of Windows.
   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %COOKIES% = ''%systemdrive%\Documents and Settings\%USERNAME%\Cookies''
     

   • For Windows 6.x (Windows Vista and newer), this is as follows:

     %COOKIES% =''%systemdrive%\Users\%USERNAME%\ AppData\Roaming\Microsoft\Windows\Cookies"
     

8. Collecting the Java Cache folder is done as follows:

   robocopy.exe %JAVACACHE% %COMPUTERNAME%\JAVACACHE /ZB /copy:DAT /r:0 /ts /FP /np /E log:%COMPUTERNAME%\JAVACAHE\log.txt
   

   • Here %JAVACACHE% depends on the version of Windows.
   • For Windows 5.x (Windows 2000, Windows XP, and Windows 2003), this is as follows:

     %JAVACACHE% = ''%systemdrive%\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment \cache''
     

   • For Windows 6.x (Windows Vista and newer), this is as follows:

     %JAVACACHE% =''%systemdrive%\Users\%USERNAME%\AppData \LocalLow\Sun\Java\Deployment\cache"