Tactical, Practical, Digital Forensics - John Grim

all right the black room is getting started this is John Grimm with Verizon he's gonna talk about tactical practical and digital forensics Thank You John can folks hear me all the way in the back good afternoon my name is John Grimm I'm with Verizon more specifically I'm with the Verizon threat research advisory Center the investigative response team and we do digital forensics on behalf of our external customers so I've been on the team since 2009 doing digital forensics I currently lead a team here in the Americas prior to that just to kind of give you an idea of where I come from I used to be a civilian with the army as well as a soldier with the army

doing counterintelligence and cyber counterintelligence investigations so as I transitioned in 2009 to Verizon I brought my skillsets with me and I do cases for as I mentioned earlier our external customers so what I wanted to talk about today is a tactical practical approach to digital forensics I'm gonna talk about the 13 must-have tools and I know the title said 12 there was one more I wanted to squeeze in today's presentation because I just really needed to make sure it was included so I want to talk about tools that are open-source tools tools that you can use for your investigations for your investigative response purposes okay so this is the objective collect preserve parse analyze key data sources in an

effective and efficient manner and I'll get more to that as we progress but I'll kind of hit home as to why we need to be effective and efficient okay because time is of the essence and doing so allow for tactical analysis incident Ries coping system triaging and fast and investigative resolution so for the raw data that we collect we want it to be relevant we want it to be fast and easy to collect for the system impact you want to make nominal exchange or transfer when we're using our tools and we want to make sure we minimize any disruption to the system and then for the data outputs we want to be relatively small in size with our data

outputs and it once we want it to be easily reviewable in a format that we can look at right away so one of the things I want to caveat here is we're not going to be collecting a memory dump we're not going to be collecting a full disk image we can certainly do that but what we're looking here is to collect the image be able to parse it look at it right away and give answers back to the victim organization in terms of what we're seeing with that system okay in another approach you can certainly grab the memory dump grab the volatile data grab the full disk image right that's totally a different approach that

you can take but it's gonna take a little bit more time to collect that and analyze that data so when I arrived on site I need to have answers fast some of the questions that are coming up initially when the investigation kicks off when was i breached how was access gained how was my data exfiltrated what Malheur was involved what else happened and just as importantly if not more when will you know these answers so here's the scenario a real simple scenario children a laptop belongs to a high-profile employee it's suspected of being accessed in sensitive data exfiltrated okay so for the parameters of this scenario I just kind of keep this in mind it's either malware or dual use tool

related and when I talk about when I mentioned dual use tools I mean something like a remote access tool or something that's a legitimate tool that's used for illegitimate or unauthorized purposes one systems in scope Windows 7 or newer operating system it's a live system and it's not a virtual system Network logs are not available time is short storage is limited and most importantly you need to have admin privileges to run these tools ok so the fast 5 plus in answering those questions I just mentioned no free stuff couple slides ago we want to look at things like execution indicators of any of the applications that might be related to this particular investigation access vectors how did the threat actor get

access to the system any involvements were accounts compromised on the system what level of privilege did those accounts have any relevant artifacts indicators a compromise that could be helpful with intel lookups as well as determining whether the threat actor has gained access to additional systems within the enterprise environments and then the security posture of the system and some other things that to the extent we can determine if there's been data exfiltration again we don't have bugs what's the incident timeline when did the breach first occur is it still ongoing and what are the aspects or the circumstances surrounding that data breach and finally we need to expand the scope so those questions that I mentioned earlier when breach translates

rate to the incident timeline how accessed access vectors how exfiltrated data exfiltration what malware in the execution indicators what else involved accounts relevant artifacts security posture and expanded scope when resolved we got to get to that big question right there so whatever what I was I took these thirteen tools and I broke them down into four steps here as a process as a methodology to use these tools now in general we're doing we're gonna be collecting data we're gonna be parsing some of this data on the fly and for some of these outputs we're gonna have to parse a little bit later with some additional tools so generally speaking we're gonna go with step a capture that

volatile data that data that's on the system that could disappear at any time because maybe a process stopped running or maybe the network connection is no longer there or maybe the operating system is running and is overwriting some of these artifacts or maybe the threat actors still in the system and is the leading artifacts so we want to capture those Network connections those running processes those user sessions and those loaded dynamic link libraries these are the things that are in memory now there's all kinds of other volatile data that you can collect as well but we're trying to focus here on tactical practical forensics step B live system audio editing windows events things that are being recorded in the event logs

persistence mechanisms if there's malware on this system how is that malware maintaining its persistence and finally system audit and this will kind of give us a sense of the security of the system steps see you were going to collect some raw files those files are the master file table windows Street Windows prefetch and brow hippie and then step D we're gonna go ahead and parse those same four files the MFT registry prefetch as well as the browser history so this is what we're looking at four steps ABCD what are those thirteen tools to look at those artifacts that I just mentioned and more specifically how they map to that fast five that I was talking about earlier the execution

indicators C access vectors involved accounts relevant artifacts in the security posture step a volatility capture so this tool is a tool that I've used it's a tool that's going to give us that that network activity or those network connections and it's called Kerr ports okay and it's a tool by near soft so when we're looking at network connections what we want to do is see all of those listening established closed or even undetermined communication links between systems okay and this information can be pulled from memory from volatile data so running this tool and I'll talk about this tool a little bit more in the next slide we're gonna get the process name we're gonna get the process identifier or the

pid' the protocol the local socket the remote socket and that includes both the IP address and the port as well as the state of the connection so this first tool number one carports captures those tcp/ip connections to include those ports and I emphasize those ports because there are some other tools out there that will collect the network connections but you may not get the ports there's also some tools out there that will get them give you the ports but they won't give you some timestamps as well and I'll talk about that when I talk about the next the next tool PS lists so seaports dot exe also known as current ports simple command prompt tool

that you can run and output to a CSV format okay so with all these tools that I'm talking about the outputs are either the raw file itself or it's going to be a CSV or txt output something that you can simply open up with a text editor notepad plus plus for example or with something like memos Excel to open up that CSV and go ahead and run filters on it okay so this is real simple you don't have to go out and get a commercial tool to be able to read these outputs you can see use some of these simple tools to to read them one of the things I also wanted to mention here is each of these

tools can be run from the command line some of them have a GUI functionality but what we want to do is we want to make sure that we're light on the system the more complex the tool is the more fancy it is the more GUI like it is the more as an investigator you're stepping on that system and potentially pushing artifacts away from that system or out of memory okay so each one of these tools is is is run from the command prompt and then the benefit as well for that the command prompt is you can batch script these okay you can simply put all 13 of these tools into a batch script and run that batch script that make your

life simple so network connections this is just an example it's probably a little bit hard to see but this particular scenario was very similar to the current scenario that I'm talking about involve the laptop with network connections they're dual use tools that are being used by the thread actor and here what we're looking at is network connections for tcp/ip we can see the local port we can see the local address the remote port the remote address and the state of the connection but most importantly we can see a process here so we've got Team Viewer service ok and we've got a process ID of 1 for 0 0 so this is good to know we know that we

have an established network connection we know that we have a process and if we did a little bit of research if we're not familiar with this tool we'll see that it is a remote access tool and we've got that pid' that process ID ok so this is that first tool that first must have current ports let's look at processes now the second tool is PS list this is a tool from microsoft's its internals ok and this is something when you run that tool you're gonna see an output that gives you the currently executing programs also known as running processes on the system this is Val data as well and we're gonna get an output in

a table that's going to give us the process name that pid' that I refer to earlier with the previous tool CPU time elapsed time a process tree and other information so if we just run PS list which is available from this link right here in Microsoft tool written by mark russinovich will show those process and thread information that I mentioned again command prompt tool and we look at the outputs it's probably really hard to see but you're gonna see here that this isn't a table view okay the very left hand side is the process name the next column is going to give us the process ID so as we look through here and I kind of highlight it

here we've we can see right away the TeamViewer is running as an active process and we already knew that but now look we see some other processes that are associated with TeamViewer as well okay we've also got time context or temporal context in the last two columns there that give us some timestamps to work with so if you remember one of those questions was when I was I first breached well now we have some time to work with and you know with my investigative knowledge I know that these times here are probably not the first instance of the breach but we at least have something to work with and we can work back in time to find when this tool was

introduced to the system one of the things with PS lists is you've got an option to add a dash T to it so if we're on PS list tree we can see these processes in a tree view and the good advantage that we see here is not only do we have these processes listed but we have their association if there's any parent process if they're a child to a parent process we can see that relationship and we can kind of get a little bit more information or knowledge as to what's going on here is this being run by the from from or associated with CMD dot X Exe for example what other processes do we maybe want to look at in

terms of the relationship with the ones that were interested in so this was number two on the list with PS list system turtles by Microsoft the third process or the third tool that I was wanted to to bring up here is actually was number thirteen on my list and I tried to put this presentation together without including it but in the end I decided it's best to include it because it's just such a rich tool it can really lead you right to the account if it's been a compromise and seeing which one you need to look at so logon sessions this is another system Eternals tool from Microsoft okay and it's something that has been around for for a number of

years what it does is it gives you currently active logon sessions and associated running processes okay so if the threat actor is on the system you're gonna in it is currently logged in with an account that's been compromised not only you're gonna get that active session but you're also going to get how that account relates to any running processes so that's really key here because if you think about it the first two tools we we mentioned one was network connections and the second was processes we're not seeing anything yet tied to an account here this tool will give us that information now there's some tools I'm going to mention a little bit later on they kind of show

us which accounts which which account in this particular situation have been compromised but this will get you right to the heart of the matter so logon sessions list currently active logon sessions there's various different options here plist processes running in the login session so you want to make sure you include that if you don't I'm gonna get those running processes you want to output to a simple output so I prefer here CSV output again you can open this up with Microsoft Excel and then you can accept the EULA now if you don't put that option in there for the system eternals tools to accept the EULA you're going to get a pop-up bubble that requires you to accept the EULA manually

so I put this in here this switch because if you're putting a batch file together you want to make sure that you accept the EULA on-the-fly otherwise your batch file is gonna go ahead and stop until you accept the EULA okay so again command prompt tool and the outputs it's probably hard to see but I can tell you there's two logon sessions that are involved right here in addition to some other ones but these two look particularly suspicious okay number one and on the bottom here we can see the processes that are associated with this logon session okay and we can see that there's some TeamViewer processes as well as another dual use tool that could be something that we'd

want to look into veracrypt okay so if you're familiar with veracrypt it's a way to encrypt content in a container or files it's something that's that's used legitimately it could be used legitimately by investigators but it could also be used illegitimately ran in and off an authorized manner by a threat actor so it might be something to look into furthermore what are these accounts that are associated what it takes it just turns out there's only one two sessions and the account name is Jake a hacker okay Jake ahck are all right so now we have a user account to look at right furthermore we've got the the security identifier for that user account which can be helpful if we're going to be

doing a deeper dive forensics analysis of the disk as well as the event logs and we've also got some logon times for these posts both of these sessions for this user account and we've got some other metadata that could be helpful later on okay so in my mind I've got an account so in my mind what's you know the next thing I want to do is determine whether this is an administrator account so you may be able to tell that from the SID if it ends in - 500 for example or you may have to do a little bit more and I'll show you some other ways of determining what the accounts privileges are so number four this DLLs and this is

the fourth one with the volatile data that I want to talk about dynamic link libraries okay in this tool is from system journals again a Microsoft tool and dll's if you're not familiar with them are modules executed by another application or by another DLL again these are these are DLL or loaded in memory okay they're not the actual DLL themselves or an image to the DLL so just keep that in mind because if you if you're gonna dump these from memory and you hash them it's going to be a different hash than the actual DLL that exists on disk so with this list dll's we'll get the process name in the pit we'll get the command line we'll get the

application file path in the loaded DLL file paths so if you if you notice here the last three things that I mention are starting to tie artifacts back to disk okay so we're moving we're transitioning from volatile data to actual files on disk including those file paths so list dll's one of the things you can do is check the the su option or the switch and that will give you unsigned DLL so it'll give you a smaller list or a smaller output it'll take a little bit longer to generate so that may be helpful with your investigation in this particular case we're not going to use that switch we're just going to go ahead and accept

the EULA command prompt and the output will look something like this so you remember earlier we had that pit that process ID for Team Viewer service here we've got the pit 1,400 so we can tie this back to some of those previous tools that we mentioned but furthermore now we can start looking at file paths on disk okay so now we've got the executable name right team TeamViewer service dot et we've got a whole listing of dll's that are associated with that so if you're familiar with dll's and I'm not a dll expert but I can scan through there and some of the things I would look for is is there any dll's that indicates some kind of network activity

or network functionality encryption or decryption some of the other kind of things that typically would show up because that would start giving me an idea of what this tool this dual use tool does if I don't already know another thing to look at is the file paths here are these or any of these file paths suspicious now they all look like they're pretty normal to me they're under the windows system32 or sis wild directory but what if they're underneath a user accounts file path or what if they're underneath a temp file path that might be something to look into so this is loaded dynamic link libraries so what we have here is current ports PS

lists logon sessions and lists dll's and that's going to get us network connections running processes user sessions as well as those loaded dll's so let's move to step B step B is information it's not as volatile but it's something that we want to get next as soon as possible and then we'll move into step C and D which is stuff that's more on disk and is you know less likely to chain as change is often as this things in step a and B so we want to prioritize things and make sure we cover volatile data and this stuff in step B and then we can get the stuff that's on disk a bit later so these four things

that we want to look at are five six and seven tools windows events are the artifacts persistence mechanisms system audit okay and I'm sorry there's only three tools in this step and then we want to see how these map to those fast five plus so step B live system auditing PS log list this is a sysinternals tool as well and this will go ahead and collect the information that are in the system security and application event logs okay and if you're familiar with event logging nowadays with the modern operating systems of Windows there's plenty beyond these big three of event logs but typically for investigations these three are the ones that are going to give you the

information that you need as as quickly as possible so with the EVT X format you're going to need to have a tool to open that either Windows itself or a third party tool but the good thing about PS log list is as we're collecting that data we're actually parsing it and putting it into a simple readable output in this particular case it's going to be a CSV form so that we can open it up with Microsoft Excel or you notepad plus plus so the contents and it all depends on the type of log but generally you're going to get a log name a source a date and time the event ID the user account associated with it in a general

description so PS log list again it's a command line tool you're going to have to specify each time you run this the specific log that you want to collect in parse so that would be the security and then you'd run your application and you're on your system log okay to collect this would be three different times you're gonna have to do that so the output would look something like this and I simplified this for today's presentation I removed some of the columns but essentially here when we're looking at the system log we can see date and time stamps that's good with our timeline analysis but we can see the user account and here's that JK HCK our

user account and we can see it's associated here on this particular time with TeamViewer okay and we can see the file path of TeamViewer and we can also see a little bit of persistence here it says auto start as well as the next line down here you can see this is very crypt and this is that other dual use tool that I was talking about we can also see here some persistence indications that it's a it's set to start up when the system starts ok so we've got a little bit more fidelity here in terms what we're seeing with these do yields dual use tools we're also seeing another evidence source that's confirming that this account is associated with this

activity tool number six autoruns see this is sysinternals tool as well this is going to give us currently configured auto start applications so we did see some indications of persistence in the previous slide the previous tool this this tool will actually run against the live system and it will give us all the known to date depending on the version of auto starts known persistence locations or Auto Start locations that are out there this could be this could be anything from a registry entry to a file path to something that has to do with a BHO for your browser so this outputs going to give you various including services scheduled tasks and other things such as drivers dll's and

whatnot so I ran out of runs and let me tell you real quick before I run this there's two versions of auto runs there's the GUI version which is just Auto runs in the version with the C after it which stands for command prompt a console is the one we want to run with the the command prompt okay so we can specify here to show all entries with the options we can specify here output the CSV format and then we can also verify signatures if we want and that's going to take a little bit more time but I recommend doing that because that could be helpful as well we're trying to determine the output and whether it's

it's suspicious or not so here's just a snippet in CSV format of the autoruns output and you can see in the very left hand side we've got some timestamps here we've got the entry location each one of these is related to the Windows registry and you can see in red font here I've got TeamViewer and veracrypt highlighted okay and we can see the category of auto starts so this first one TeamViewer is a service and the second one that's highlighted there is a driver okay profile system-wide and then we've got a little bit of description the publisher and we've got the file path again that should match up with what we've seen already with for example this dll's

output and then we can see the launch string so we've got a little bit more to look at now this is just a snippet of the autoruns output there's plenty of other things that came out from this so I you know encourage you if you haven't used this tool before play around with it look at it explore see what all it provides in terms of fidelity of auto start locations number seven tool went on it so this tool is a tool from Parma vac services called win audit you can download this as well and I have the link on the next slide this will give you a lot of information from an auditing standpoint that you can use for

your investigation or for your incident response purposes a lot of the information here that's provided doubles up with some of the other tools that we've mentioned so if you're not able to run those other tools you can run this and it'll it'll it'll provide a for example a list of network connections a list of running processes but what I want to use this for is some other things and I'll get to that when I show you the example here so this will give a system overview they don't give us installed software without even having the disk image security settings it'll give us groups and users and as I mentioned earlier network settings and connections services some of the stuff

that autoruns provided so here's the link here Permatex co uk here's the command prompt and you're probably wondering those options that's pretty crazy if you run the GUI version to win on it you have you have a menu that you can check what it what it'll run an audit for you ok and that menus got a couple dozen different options so these options here that I've strung together are the ones that I've found that are most useful for the forensic investigations that I do so anyways you can run this either command prompt or GUI this is just a simple output into CSV and what we can see here from this system audit again we haven't collected

the disk or anything or any logs we can see that Windows Firewall an authorized application is TeamViewer remote control service ok so one of the things I would ask the victim organization is if I haven't already asked that question as do you run TeamViewer is that a tool you use if not you've got it running here and it's a service and someone with admin privileges had to to to authorize this or put this into play and then as we look down here we can see a list of the administrators and there's at JK h c KR so you know I'm pretty sure that this is probably not a legitimate account in fact the first time I'd see

it I bring it up to the victim organization just to make sure so this definitely looks like it's something suspicious and if I haven't already determined that it was a minister a Turk ount I can see by virtue of went on it that it's labeled it as an administrator account okay so that's step B so that's PS log list our Windows event logs again those big three application pieces and security persistence mechanisms using system journals on a run C and then went on it to audit the system and get some a little bit more granularity in terms of what's going on on the system the security settings and whatnot so let's go and collect some things off of disk

so this is step C and we're gonna use two tools to do this and I'll I'll show you what those tools are in a couple slides here well what we want to collect is the NTFS Master File table okay that's going to give us a listing of all of the files that are on that volume so keep in mind if you have various NTFS volumes you're gonna have two there's going to be an MFT and on each one of those right so typically the ones I'm interested in are the ones that have the MF T's that are on the same volume as the operating system okay but if you have other partitions in NTFS there's

going to be separate and MFT so you're gonna have to grab those as well if that's part of the scope of your investigation so we want to grab the MFT because it's going to give us a list of files it's going to also give us timestamps it's also going to give us a little bit more information - in terms of those files we're gonna look at the Windows registry and grab those Windus tree high windows registry hives as well as the NT user dot files and the user class that files and I'll explain a little bit more about those later and we're gonna use a second tool to grab the Windows prefetch and then we're

gonna grab the browser history and the wonderful thing about the tool that I'm gonna mention about the browser history is it's not just one type of browser history that it'll capture it'll capture the four main browsers that we tend to see nowadays either the Internet Explorer edge browser the Firefox the Safari or the Chrome browser okay so this is what we're gonna do we're gonna go ahead and collect and preserve those files those main files from disk now you're probably wondering why aren't we grabbing the windows event logs we can certainly do that but we've already parsed them with PS log list just you know probably if the bad script runs just seconds prior to this but you can certainly use these

two tools I'm going to talk about to grab those event logs and you can certainly grab other files as well but just for the tactical practical of what we're doing these are the big files I want to grab off a disk so raw file collection number eight tool raw copy 64 this is a 64-bit version of it this is a tool from Joakim Schmidt or schickt and you can download it from this link here a github link and it copies files to include inaccessible files off of NTFS volumes so if you've done forensics it's really you you've got to use a tool like ftk imager on a live system or something similar to be able to grab those system

files like NTFS MFT okay otherwise you're gonna have to get an image of the disk and then go that way with with the image to pull out the files you need so the wonderful thing with raw copy with a live system we can go ahead and access that MFT and pull a copy of it off of the disk so it's a command prompt the one thing I just wanted to say about the MFT is it's number it's file number is zero so you need to specify zero to pull off the MFT with this raw copy if you're going to be pulling off any other files and you can just specify the file name and the file path so raw copy we're

gonna use that to collect the master file table and then very similarly we're going to collect the Windows registry and if you're not familiar with the Windows registry what we're looking to collect is those four hives that are going to be on disk the Sam the security system and software hives and then I mentioned earlier the NT user dot files and the user class dot bat files so command prompt with raw copy is is simply specifying the path of that registry hive and then for the ant user debt and user class data its specifying the locations of those two debt files for that user account so your approach could be to just grab those specific

files to that suspicious account JK hacker or you can just go ahead and grab all of the ant user debt and user class dat files for the other users just in case your scope expands but it's all up to you and the second to one mentioned is robocopy this comes with Microsoft's you can find it under the system32 directory on your operating system your windows 7 or newer actually robocopy goes back in time so you can you know find it as well on previous versions of Windows there's some options here we want to copy all we also want to use the the logging function within there so here we're going to use robocopy to capture the Windows prefetch files and

if you're not familiar with the prefetch files prefetching there's two types of prefetch files basically there's one for booting and one for applications you want to grab all of those dot PF files because these are artifacts and indicate if something has executed right the system's booted but also if an application is executed and you can get some some nice granularity from other prefetch files in terms of the history of that application and I'll talk about that in a few slides so we're gonna use raw copy and robocopy for the browser history so tool number seven and tool which which should be number eight robocopy and the reason why we got to do this is raw copy will grab the web cache v01 dot

files for your internet explorer edge okay but we also want to get those unwritten browser events that haven't been included in the web cache files and those are those are log files okay so we need to use robocopy to grab those log files that's the latest browser data that just hasn't been written to the web cache v01 dot dat file so we need to use both a combination of raw copy and an accommodation or and with robocopy to get both of those sets of files there's a lot more to this and analyzing this I just wanted to point out that the tools can grab all the browser history that's been recorded for particular browser so mapping the 13

must-haves to the fast 5o step a B and C we've done step C we've grabbed some of those disk files now we need to parse those disk files so this will be stools 10 11 12 and 13 first thing let's go ahead and parse the MFT so a wonderful thing about a a volatile data parsing tool called volatility if you're not familiar with it it's got multiple plugins for parsing a memory dump you can also use one of these plugins called MFT parser to parse the MFT file itself okay I actually found that out by but just playing around with it and and sure enough you can actually use this volatility plugin to parse the MFT

so we pulled that MFT off of the c volume in this particular case it had the operating system now what do we do with it well we can go ahead and run volatility MFT parser which is available at downloads that volatility foundation.org and parse that and get an output very similar to this so if you look at this and you can actually control the different types of outputs this one here I prefer this a table output that gives me each entry and and the MFT could be 10 10 20 30 or more megabytes in size you're going to be simplifying that raw file down to something that's human readable in a text file and here for example what I've

got highlighted here is the TeamViewer setup.exe prefetch file okay so this tells me a couple things well it sounds like it's a setup file so this is probably the pre fetch that was used to initially set up TeamViewer right I don't want to make an assumption but I could probably make pretty educated guess and I'd have to double-check that and so it's it's actually a prefetch file so it tells me it ran at least one time ok and I can see some timestamps here I've got the file name attribute and I've got the standard information attribute timestamps okay so prefetch file it's not going to be really helpful if I'm looking for time stopping which is out of the scope

of today but when you look at the MFT you can compare these timestamps to see if there's a difference and it could indicate that somebody's been time stomping the the date time stands for four files but here what I'm seeing here is I can add to my my time line here of activity when this prefetch file was first created could give me an indication of when it potentially first ran and some other information that modified as well as the access date okay so I'm gonna want to look at this prefetch file later on and dig into it and see what other artifacts I can pull out tool number eleven is read ripper this is a tool that can parse the

Windows registry it's in terms of the Windows registry if you're not familiar with it there's four main hives so they're gonna be on disk they're gonna be the Sam security software and system and I mentioned earlier there's also the into user dot and user class dot dot files so this tool Red River from by harvan car Harlan Carvey is downloadable from github this will go ahead and parse those hives but you got to collect those highs first and you can use the command prompt version of this there's also a GUI version it's more like a framework so folks out there in the community have written various different plugins for red ripper and those are all

downloadable from github as well so with the Red Nosed registry this is just an example the software hive in one of the plugins that ran this is the uninstall plugin this will give us a list of software that's on the system and here we can see the TeamViewer and we can see the veracrypt as listed within this Windows registry path right here ok and we've got some timestamps as well with both of these files so that's good to know let's go ahead and parse the NT user dot dot file and I'll show you example here here's the NT user dot dot file and this is the application compatibility Flags plugin and this is going to give us some

information here for both team viewer as well as the veracrypt setup and we can see the file path that falls under that suspicious user account we've also got user assist down here in this plugin that was written is going to give us user assist which is when a user's use in Windows Explorer to run an executable it's going to be recorded in here so we're gonna see some more timestamps here we've got veracrypt we've also got veracrypt set up being in a directory that's got downloads within the file path so this is kind of like oh this is right maybe this is where these tools came from that's sounding like it's coming from potentially the browser

so remember one of those big five things that we're looking to solve as how did these tools or the threat actor get into the system so we might have a browser thing going on right here but let's let's let's hold off on that and parse the browser here in a little bit so the windows prefetch view this is going to be tool number twelve and this is a tool from near soft and the file path of the prefetch is going to be C Windows prefetch and then the executable file name within the prefetch file okay so when we look inside each one of these prefetches will see the original egg beautiful will see last run time see the

run counter how many times that executable ran will see a listing of dll's and then we'll see additional things such as files and directories used so win prefetch file available from near softs and we're gonna output this to CSV format again command prompt and here's an output from that tool and you can see here in red we've got various different TeamViewer related files here that are found in prefetch so it's telling me that these executables ran at least once okay but if you look at this and if you remember PS list which was tool number two we did see some additional processes that look like they were associated with TeamViewer two of them started with T V we can see here

there's some prefetch files that look like they correlate with those those processes that were running the second column here is the the original executable and then the last run time and then the run counter is gonna tell us how many times that executable ran and was recorded in this instance of prefetch now someone could come in there and clear out the prefetch and then the prefetch files would would be you later each time those executables ran so keep that in mind that just because this run count for example says three doesn't mean that was the only three times that this executable ran on the system somebody could have cleared out the original prefetch and it's

starting in the counter started all over again the one thing I didn't mention is you're probably wondering what these alpha numerics are and the the second half of the filename so the first half of the PF or the prefetch file is going to have the original executable name and then these alpha numerics here are going to give you it's basically gonna it's a way of making the prefetch file unique because the same executable could be in on the system in multiple places in multiple file paths and run from those file paths so this alpha numeric here is telling the it's it's a way that the system can to determine where that application ran from on the system for

kind of a clumsy way of explaining it and down here we've also got veracrypt looking like there's three different files associated with that that ran in the past two nor thirteen browsing history view so this is another near soft tool this particular example on this show with Internet Explorer I mentioned web cache v01 dot dat in the past so this will actually parse the web cache file it'll give you an output of user profile the web browser the visit time and date to visit count in the URL so it's a command prompt tool the one thing I wanted to point out and I pointed this out earlier is it'll do multiple opera browsers the Safari the

Firefox the internet explorer edge as well as the chrome okay and the good thing too is if you're running it against the system it'll go ahead in this particular example in parts the different browsers regardless of the browser you don't have to specify that every time so here we can see in this output that Jake a hacker using Chrome was looking doing a search on Google for veracrypt and then he was also doing a search on Google Google for Team Viewer and we've got times for that down here we've got some more in browser activity by JK hacker with chrome but sandwich Street in the middle here is Internet Explorer so this is a second browser that we're gonna have to

look at okay so coming to the end here so mapping the 13 must-haves to the fast 5 we did four steps a B C and D 13 tools within each of those steps that map to the artifacts there in the middle column and then these further map to those fast five the execution indicators the access vectors involved accounts relevant artifacts and security posture one of the final actions you want to take and these are the output files here just listed ABC and D is you want to go ahead and hash those files so one of the things you can use is Jessie corn blooms md5 deep Jessie corn bloom and Simpson Garfinkel I should say you can run md5

deep against all of those texts and CSV outputs and the raw files that you collected and have an output that gives you all the md5 hashes those files that you can store in your case notes so takeaways the 13 must have tile tools that I mentioned most of these are either collecting and parsing and in the case of raw robocopy and raw copy we're just collecting we're gonna have to use for other tools the MFT parser read rip or wind prefetch for you and browsing history view to go ahead and parse those as you can see i'm highlighted here with the text files and in cs5 is v files are the output so again use notepad plus

plus or Microsoft Excel to open that up and do your parsing your searching or whatnot and then mapping these as well to those fast fives as I mentioned earlier the approach was execution indicators access vectors involved accounts relevant artifacts or I OCS security posture data exfiltration incident timeline and expanded scope so incident timeline we can answer that with right answer the question of when breached access vectors how accessed data exfiltration how exfiltrated execution indicators what malware and we can also answer those questions about involved accounts the relevant artifacts security posture and expand scope and finally we can determine what happened and resolve the in the actual incident itself it brings me to the end I know we're out of time so I'll go

ahead and I'll be here for the next few minutes if anybody has any questions but thank you very much for your time and have a wonderful afternoon [Applause]