SANS Digital Forensics and Incident Response Blog: Category - Windows IR

Digital Forensics How-To: Memory Analysis with Mandiant Memoryze

Mandiant's Memoryze tool is without question one of the best forensic tools available. It is an incredibly powerful memory analysis suite that should be part of every incident responder's toolkit. It's free, but requires some patience to traverse the learning curve. Memoryze was built by Jamie Butler and Peter Silberman, a couple of hardcore memory / malware analysts that operate on a completely different level than most of us mere mortals. In this post I'll cover how to get started with Memoryze, because if you haven't added memory analysis to your intrusion investigations, there is a whole lot of evil out there that you are missing.

Getting Started

The first step is to go out and download the tool. An important thing to keep in mind is that Memoryze actually consists of two components: Memoryze and Audit Viewer. Each must be downloaded individually from the free tools section of the Mandiant


Digital Forensics: Detecting time stamp manipulation

At approximately 22:50 CDT on 20101029 I responded to an event involving a user who had received an email from a friend with a link to some kid's games. The user said he tried to play the games, but that nothing happened. A few minutes later, the user saw a strange pop up message asking to send an error report about regwin.exe to Microsoft.

I opened a command prompt on the system, ran netstat and saw an established connection to a host on a different network on port 443. The process id belonged to a process named kids_games.exe.

I grabbed a copy of Mandiant's Memoryze and collected a memory image from the system and copied it to my laptop for offline analysis using Audit Viewer.

Audit Viewer gave the kids_games.exe process a very high Malware Rating Index (see Figure 1), so I decided there was probably more

...


Digital Forensics: Persistence Registry keys

Some have called us log monkeys and claim our work is boring. Others recognize that what we do is a form of hunting. Computer Incident Response Team members watch security information event monitors (SIEMs) for indicators of compromise (IOCs). IOCs are like lycanthropes, they may be IDS/IPS alerts or blocks, or a system trying to connect to a resource it shouldn't be connecting to, or a user complaining of odd system behavior, or heaven forbid, a call from the Feds in the middle of the night.

Incident handlers may look for secondary IOCs to confirm an incident has occurred so they don't unnecessarily cause alarm or disrupt the organization. In the case of unsophisticated malware these secondary indicators can often be found by taking a quick look at the Windows Registry's run key. In many environments, this can be done remotely via:

reg query \\\\suspect.system.ip.address\\HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

What comes back

... Continue reading Digital Forensics: Persistence Registry keys


Digital Forensics Case Leads: Free tools, Treasure Hunts, Drive-by Attacks and Spying

This week's Case Leads features two free tools from AccessData and Paraben Corporation, a digital (forensics) treasure hunt to test your skills, spying, drive-by (browser) attacks and consequences resulting from Stuxnet.

As always, if you have an interesting item you think should be included in the Digital Forensics Case Leads posts, you can send it to caseleads@sans.org.

Tools:

  • Earlier this month AccessData released a new version of their popular (and free) utility, the FTK Imager. Version 3 has a number of useful features such as the ability to boot forensic images in VMWare and the ability to mount AFF, DD, E01, and S01 image formats as physical devices or logical drive letters. The latest version of the application also supports HFS+, VxFS (Veritas File System), exFAT, EXT4, Microsoft's VHD (Virtual Hard Disk) and compressed and uncompressed DMG

...


How To - Digital Forensic Imaging In VMware ESXi

Paul A. Henry Forensics and Recovery.com Follow me on Twitter

As a follow up to my recent SANS Forensic Blog post "How To - Digital Forensics Copying A VMware VMDK" that provided insight in to making a "GUI tool" based copy of a VMware VMDK, I have put together a How To that addresses creating a forensically sound image of a VMware VMDK on the ESXi console, that is able to provide the "chain of custody" needed in a digital forensics investigation.

Important note: In the simplest of terms a VMDK is an abstraction of a physical disk for a VM contained within a file (VMDK-flat). We are making a bit by bit

...