SANS Digital Forensics and Incident Response Blog: Author - Chad Tilbury

SANS Digital Forensics and Incident Response Blog:

Signature Detection with CrowdResponse

CrowdResponse is a free tool written by Robin Keir from CrowdStrike. Robin has a long history of developing excellent tools for the community including SuperScan, BinText, Fpipe, and CrowdInspect. The goal of CrowdResponse is to provide a lightweight solution for incident responders to perform signature detection and triage data collection. It supports all modern Windows platforms up to Server 2012 and is command-line based making it easy to deploy at scale. Version 1.0 focuses on signature detection, with a powerful YARA scanning engine. It ships with a very detailed user manual but since only a few actually read such things, I thought it would be interesting to show the tool in action.

Running YARA Scans


YARA, or Yet Another Regex Analyzer, has become one of the leading tools for describing and detecting malware. A YARA rule consists of a series of ...

Windows 8 / Server 2012 Memory Forensics

With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface. This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.

You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box):

MemoryDD.bat -output E:\\

Process.bat -input memory.img -handles true -sections true -ports true -imports true -exports true -injected true -strings true


To perform live memory analysis and take advantage of capabilities like ...

Getting Started with Linux Memory Forensics

Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatilityand Mandiant

...

Control Panel Forensics: Evidence of Time Manipulation and More

The GUI control panel is a long standing feature of Microsoft Windows, facilitating granular changes to a vast collection of system features. It can be disabled via Group Policy but is largely available to most user accounts (administrative permissions are required for some changes). From a forensic perspective, we can audit control panel usage to identify a wide range of user activity:


  • Firewall changes made for unauthorized software (firewall.cpl)

  • User account additions / modifications (nusrmgr.cpl)

  • Turning off System Restore / Volume Shadow Copies (sysdm.cpl)

  • System time changes (timedate.cpl)

  • Interaction with third-party security software applets


While identifying individual system modifications is difficult, at a minimum we can show that a user accessed a specific control panel applet at a specific time. Context provided by other artifacts may provide further information. As ...

Encrypted Disk Detector Version 2

Last year I covered the free Encrypted Disk Detector (EDD) tool and challenged the community to help crowdsource its development [link]. Thank you to all that took part in the experiment. Magnet Forensics announced today that Encrypted Disk Detector version 2 is available [get it here].

Survey Results


In addition to encouraging additional development of EDD, a side benefit of the project was to get an idea of the most popular disk encryption products being deployed. Figure 1 provides the survey results, with Checkpoint Full Disk Encryption, Symantec Endpoint Encryption, and Sophos (formerly Utimaco) Safeguard rounding out the top three. I think many of us could ...