One of the great pleasures of performing Windows forensics is there is no shortage of application execution artifacts. Application execution tells us what has run on a system and is often the pivot point that reveals important activity on the system. Why was FTP run on this workstation? Is it normal to see execution of winsvchost.exe? Why was a privacy cleaning tool used for the first time during the system owner's last week of work? While undoubtedly useful, our adversaries are more forensic-aware than ever and often take steps to eliminate application execution artifacts. At CrowdStrike we routinelyencounter nation-state groups that attempt to delete Prefetch. Even the popular CCleaner anti-forensics tool defaults to clearing Prefetch and UserAssist data. Hence having additional sources of data can often mean the difference between an easy examination and a long, painful one.
CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows platforms up to Server 2012 and is command-line based making it easy to deploy at scale. Version 1.0 focuses on signature detection, with a powerful YARA scanning engine. It ships with a very detailed user manual but since only a few actually read such things, I thought it would be interesting to show the tool in action.
Running YARA Scans
YARA, or Yet Another Regex Analyzer, has become one of the leading tools for describing and detecting malware. A YARA rule consists of a series of ...
With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface. This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.
You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box):
MemoryDD.bat -output E:\\
Process.bat -input memory.img -handles true -sections true -ports true -imports true -exports true -injected true -strings true
To perform live memory analysis and take advantage of capabilities like ...
Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatilityand Mandiant...
The GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:
- Firewall changes made for unauthorized software (firewall.cpl)
- User account additions / modifications (nusrmgr.cpl)
- Turning off System Restore / Volume Shadow Copies (sysdm.cpl)
- System time changes (timedate.cpl)
- Interaction with third-party security software applets
While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time. Context provided by other artifacts may provide further information. As ...