SANS Digital Forensics and Incident Response Blog: Author - Keven Murphy

Mass Triage Part 3: Processing Returned Files - At Jobs

Our story so far... Frank, working with Hermes, another security analyst, goes to work to review the tens of thousands of files retrieved by FRAC. They start off by reviewing the returned AT jobs. AT Job Used by Actors AT jobs are scheduled tasks created using the at.exe command. At jobs take the filename format … Continue reading Mass Triage Part 3: Processing Returned Files - At Jobs


Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2

FRAC is a GPLv2 project that can run remote commands across a Windows enterprise network. It consists of a Perl script, basic configuration files, and an SMB share. It uses PAExec or Winexe to connect to the remote machines, and then runs the commands required. It doesn't require a powerful system to run from, but does require lots of disk space if it has been configured to collect files. FRAC can run on the Linux, *NIX, and OSX using Winexe to connect to the remote Windows machines. Continue reading Mass Triage: Retrieve Interesting Files Tool (FRAC and RIFT) Part 2


Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1

In the course of an incident incident responders will have to retrieve files from a machine in a forensically sound manner. RIFT copies files from a subject machine in a forensically sound manner using the Sleuthkit toolset. By simply running RIFT with a regex list of file names or directories, specific files and folders are targeted for extraction. For each match, icat is then used to copy the file or folder to a drive/share other than the C drive. Continue reading Mass Triage: Retrieve Interesting Files Tool (RIFT) Part 1


Solaris Digital Forensics: Part2

This series of articles is a primer on Solaris forensics. As such each article will build upon the last and should be read from start to finish for those new to Unix. Part 1 is available at https://blogs.sans.org/computer-forensics/2010/10/15/solaris-forensics-part-1/.

Reading ls output

Being able to correctly read the ls command's output is critical for moving around the OS and to looking for signs of compromise. As you go through the filesystem, keep in mind you may not be truly seeing an accurate picture of the filesystem. If the machine has a rootkit installed on it, some of the files and directories may be hidden.

In the UNIX filesytem we have some basically defined file types:

  • Regular files
  • Directories
  • Symbolic Links (hard and soft)
  • Device

...


Solaris Forensics: Part 1

Introduction

Welcome to the first set of a series of articles on doing forensics on Solaris systems. Initially, I am going to go over the basics of Solaris from the forensics point of view. That is to say that I will not be going over Solaris administration, but rather how things work in Solaris. Our first few steps involves:

  • How the filesystem is laid out (i.e. what kinds of files are in the main directories),
  • A brief discussion on reading ls output as this sets up for:
    • How permissions work
    • What users and groups are
    • Soft and hard links
    • Link counts
    • Basic file types (regular files, directories, links, character devices, and block devices)
  • Breakdown on Solaris slices (partitions)
  • Imaging Solaris drives remotely
  • More stuff to follow :)

I think it is important to understand the basics of how Solaris functions, or any OS for that

... Continue reading Solaris Forensics: Part 1