SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: Triage, Live Incident Response, and Memory Forensics

Our focus this week is on live response, memory forensics, and triage. New tools from Mandiant (Redline) and HBGary (Responder Community Edition) jump into the live response and memory forensics arena and appear to hold some promise for those who need to delegate first response activities to IT support staff who don't have prior Incident Response of Digital Forensics training. In "Good Reads," I've highlighted four articles that I think qualify as must-read. Mark Russinovich has posted a 3-part series over the past few months detailing the process of analyzing Stuxnet (and, by extension, other malware) with Sysinternals tools. Follow that up with Corey Harrell's excellent post on forensic triage, which details a process for answering key questions quickly.

If you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Digital Forensics Framework v1.1.0 was released last week. This version adds several new features, including the ability to extract mailbox contents from PST, OST, and PAB files. For more details about the release, check out the release notes.
  • Mandiant recently released Redline, a new Windows memory forensics and triage tool that "analyzes and rates every running process on a system according to risk."
  • HBGary has released Responder Community Edition, a free version of their Windows memory analysis tool.
  • Several Sysinternals tools received updates last week, including VMMap, RAMMap, and Process Explorer.
  • Mark McKinnon has made all of the ForensicArtifacts.com posts available as an Evernote notebook. As the Forensic Artifacts site grows, this Evernote port will become increasingly useful if kept in sync with the web site. I see the most value coming from this in off-line scenarios, where you could still have the Forensic Artifacts data available via the Evernote application for your mobile device.
  • Yesterday, Harlan Carvey posted a fairly comprehensive summary of tools that have caught his attention of late. There's some overlap with my short list above, plus a lot more. I suspect most will find at least one tool on Harlan's list that they weren't previously aware of, so it's well worth the time.

Good Reads:

  • Over the past few months, Mark Russinovich has written an excellent series of articles on Analyzing a Stuxnet Infection with the Sysinternals Tools. The three part series is both an interesting look at how Stuxnet works and, more importantly, an outstanding crash course on how to use the Sysinternals tools for malware analysis. I highly recommend reading it, then reading it again. Here are the links to all three parts: Part 1, Part 2, Part 3.
  • Corey Harrell recently posted Triaging My Way over on his blog, Journey Into Incident Response. The post presents both the high-level thought process and the specific steps needed to triage user activity "in under two minutes" on a Windows computer. I particularly like this post because it reveals process. Rather than isolating on a specific tool or artifact, Corey narrates the process and demonstrates how to get from question to answer.

News:

  • The Norwegian military announced last week that it faced a cyber attack shortly after beginning bombing operations in Libya. The attack arrived as a spear phishing campaign targeting "100 military employees, some of them high-ranking" with a malware-laden attachment. Not many details are available, and the incident is still under investigation. But this article implies that the attack was related to Norway's participation in bombing attacks against Moammar Gaddafi's forces.
  • Los Angeles Times - Bank of America data leak destroys trust - This article is a uniquely personal look at the impact of data breaches.
  • The DFRWS 2011 Forensic Challenge has been posted. This year's challenge consists of two distinct scenarios for Android forensics.
  • Voting for the 2011 Forensic 4cast Awards is open until June 5. Check out the nominees and vote for your favorites. Winners will be announced at the SANS Forensics and Incident Response Summit in Austin, TX.

Levity

Coming Events:

Digital Forensics Case Leads for 20110526 was compiled by Gregory Pendergast, forensicator, incident responder, and jack-0f-all-security at Virginia Commonwealth University. If you have an article to suggest for case leads please email it to caseleads@sans.org.

4 Comments

Posted May 26, 2011 at 2:43 PM | Permalink | Reply

Joe Garcia

I just want to thank Mark McKinnon for setting up the ForensicArtifacts.com Evernote notebook. It is stuff like this from the community that will help make ForensicArtifacts a successful resource for us all.
Joe

Posted May 31, 2011 at 9:20 PM | Permalink | Reply

Chris Bentley

HI all,
I've just started taking a more active look at using Volatility and I though I would point people in the direction of a new windows batch script I've created (Its based on the one from lg's blog ).
Blog Post:
http://active-security.blogspot.com/2011/05/volatility-script-for-windows.html
Script location:
https://docs.google.com/leaf?id=0Bz2rZ4S-yK8AMDE5ODhhMzEtOGNhMS00N2U3LWEyMzYtNjFkNTFmMjc4ZTZi

Posted June 2, 2011 at 11:05 AM | Permalink | Reply

Tim

I agree 100% with Joe. Very cool and useful.
Tim

Posted August 21, 2014 at 11:08 AM | Permalink | Reply

42lb730v

Thanks so much for this nice article